b'           OFFICE OF\n\n    THE INSPECTOR GENERAL\n\n\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n        PERFORMANCE\n\n      MEASURE REVIEW:\n\n RELIABILITY OF THE DATA USED\n\n TO MEASURE REPRESENTATIVE\n\n        PAYEE ACTIONS\n\n\n    MARCH 2000   A-02-99-01010\n\n\n\n\nAUDIT REPORT\n\n\x0c                             Office of the Inspector General\n\nMarch 20, 2000\n\nWilliam A. Halter\nDeputy Commissioner\n of Social Security\n\nInspector General\n\n\nPerformance Measure Review: Reliability of the Data Used to Measure Representative\nPayee Actions (A-02-99-01010)\n\n\nTo fulfill the responsibilities of our workplan related to performance measurement, we\ncontracted PricewaterhouseCoopers (PwC) to evaluate nine of the Social Security\nAdministration\xe2\x80\x99s (SSA) Fiscal Year 1999 performance indicators that were established\nby SSA to comply with the Government Performance and Results Act.\n\nAttached is a copy of the final report on one of the performance indicators reviewed.\nThe objective of this review was to assess the reliability of the data used to measure\nperformance of the representative payee process.\n\nIn addition to releasing individual reports on the performance indicators reviewed, PwC\nreleased a summary report on all of the indicators reviewed. SSA commented on the\nsummary report, Performance Measure Review: Summary of PricewaterhouseCoopers\xe2\x80\x99,\nLLP Review of the Social Security Administration\'s Performance Data (A-02-00-20024).\nAgency comments to the summary report were provided to us on January 28, 2000.\nThe comments related to the subject of this report are included in Appendix C. PwC\nreformatted the Agency comments to align them with the firm\'s recommendations\npresented in the final report. Nonetheless, SSA\'s comments were not changed during\nthe reformatting process.\n\nYou do not need to respond to this report, since you are responding to the same\ncomments attached to PwC\xe2\x80\x99s summary report. If you wish to discuss the final report,\nplease call me or have your staff contact Steven L. Schaefer, Assistant Inspector\nGeneral for Audit, at 410-965-9700.\n\n\n\n                                                James G. Huse, Jr.\n\nAttachment\n\x0cEvaluation of Selected Performance\n\nMeasures of the Social Security\n\nAdministration:\n\nReliability of the Data Used to\n\nMeasure Representative Payee Actions\n\nOffice of the Inspector General\nSocial Security Administration\n\n\nAgency comments to this report were provided to us on January 28, 2000. Many of the\nrecommendations made in this report are also found in earlier financial statement audit\nreports. In Appendix C, the Agency notes in its comments, \xe2\x80\x9cSince we are already taking\ncorrective actions for those that we accepted as valid, we will not be addressing the\nduplicate recommendations in this response.\xe2\x80\x9d\n\nFor the reader to be fully aware of SSA\xe2\x80\x99s comments that were made to each of the\nduplicate recommendations found in this present report, we incorporated those Agency\ncomments, that were made contemporaneous to the earlier audit report recommendations,\nas part of the Agency comments located at Appendix C of this report.\n\n\n\n\nA-02-99-01010                                                 February 18, 2000\n\x0c                         Table of Contents\n\n\nPerformance Measures Evaluation\n\n Introduction                                    1\n\n Results of Engagement                           2\n\n Other Matters                                   12\n\nAppendix A: Background                           A1\n\nAppendix B: Scope and Methodology                B1\n\nAppendix C: Agency Comments and PwC Comments     C1\n\nAppendix D: Performance Measure Summary Sheets   D1\n\nAppendix E: Performance Measure Process Maps     E1\n\x0cINTRODUCTION\n\nThe Government Performance and Results Act (GPRA), Public Law Number 103-62,\n107 Statute 285 (1993), requires the Social Security Administration (SSA) to develop\nperformance indicators for fiscal year (FY) 1999 that assess the relevant service levels\nand outcomes of each program\'s activity. GPRA also calls for a description of the\nmeans employed to verify and validate the measured values used to report on program\nperformance. SSA has stated that the Office of the Inspector General (OIG) plays a\nvital role in evaluating the data used to measure performance. The OIG contracted\nPricewaterhouseCoopers (PwC) to evaluate the following GPRA performance\nindicator(s):\n\n1.\t Percent of OASI claims processed by the time the first regular payment is due,\n    or within 14 days from effective filing date, if later\n2. OASI claims processed\n3. Percent of initial SSI aged claims processed within 14 days of filing\n4. SSI aged claims processed\n5. Representative Payee Actions\n6. SSN requests processed\n7. Annual earnings items\n8. Percent of earnings posted to individuals\xe2\x80\x99 records by September 30\n9. Percentage of individuals issued SSA-Initiated PEBES as required by law\n\nTo evaluate the nine SSA performance indicators established by SSA to comply with\nGPRA, PwC was contracted to:\n\n\xe2\x80\xa2\t Gain an understanding and document the current FY 1999 system sources from\n   which data is collected to report on the specified performance measures;\n\xe2\x80\xa2\t Identify and test critical controls (both electronic data processing (EDP) and manual)\n   of current FY 1999 systems from which the specified performance data is generated;\n\xe2\x80\xa2\t Test the accuracy of the underlying FY 1998 data for each of the specified\n   performance measures;\n\xe2\x80\xa2 Recalculate each specific FY 1998 measure to ascertain its mathematical accuracy;\n\xe2\x80\xa2\t Evaluate the impact of any relevant findings from prior and current audits with\n   respect to SSA\'s ability to meet performance measure objectives; and\n\xe2\x80\xa2\t Identify findings relative to the above procedures and make suggestions for\n   improvement.\n\nThis is one of six separate stand-alone reports, corresponding to the following SSA\nprocess, performance measure (PM), and Contract Identification Number (CIN):\n\n\xe2\x80\xa2   Representative-Payee Actions (PM #5)               A-02-99-01010\n\nThis report reflects our understanding and evaluation of the representative payee\nactions process. The report is organized in the following manner. The next section\ntitled "Results of Engagement" identifies our findings and explains their relevance to\n\n\n                                            1\n\n\x0cSSA performance measurement. It also provides recommendations and suggestions\nfor improvement. The subsequent "Other Matters" section discusses the relevance of\neach performance measure with respect to GPRA. All other information is contained in\nthe appendices, as follows:\n\nAPPENDIX A \xe2\x80\x93 Background\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\nAPPENDIX C \xe2\x80\x93 Agency Comments\nAPPENDIX D \xe2\x80\x93 Performance Measure Summary Sheets\nAPPENDIX E \xe2\x80\x93 Performance Measure Process Maps\n\n\nRESULTS OF ENGAGEMENT\n\nDuring the period of June 9, 1999 to October 1, 1999, we evaluated the current\nprocesses, systems and controls, which support the FY 1999 SSA performance\nmeasurement process. In addition, we determined the accuracy of the underlying\nperformance measure data. Since FY 1999 data were not always available, we often\nused FY 1998 data to perform our testing. Although SSA was not required to comply\nwith GPRA until FY 1999, they voluntarily reported results in the FY 1998 Accountability\nReport for Representative Payee Actions. As a result, we were able to use our\nknowledge of current processes, systems, and controls to judge the accuracy of the\nperformance measures based on the FY 1998 results.\n\nOur evaluation allowed us to determine that the reported FY 1998 result of the\nperformance measure tested (as itemized below) was reasonably stated.\n\n   Performance Measure                                      Reported Result\n   5. Representative Payee Actions                                7,063,595\n\nHowever, we did note the following nine opportunities for improvement, listed in order of\ntheir relative importance:\n\n1.\t SSA lacks sufficient performance measure process documentation and did not retain\n    documents to support the FY 1998 amounts\n2. SSA has a number of data integrity deficiencies\n3. SSA\'s system environment has security deficiencies\n4. This performance measure could better reflect agency performance\n5.\t GPRA documents prepared for external evaluation of SSA performance do not\n    clearly indicate the sources of the performance measures\n6.\t A component was inadvertently omitted when calculating the total of one of the\n    performance measures\n7.\t The Cost Analysis System (CAS) procedural and systems documentation have not\n    been updated\n8. SSA has systems design and documentation deficiencies\n\n\n                                            2\n\n\x0c9. SSA has a number of deficiencies in their systems contingency plan\n\nAdditionally, we evaluated the appropriateness of the nine performance measures with\nrespect to the future requirements of GPRA. As a result, we noted three areas in which\nSSA could better prepare itself to incorporate the final phases of GPRA in their\nprocesses. These results are discussed below in the Other Matters section.\n\nThese items were noted as a result of our testing the underlying performance measure\ndata, as well as the EDP and manual controls of the systems generating the\nperformance measure data, and are discussed in detail below.\n\nThroughout our evaluation of the nine performance measures, we noted the strong\ncommitment of SSA\'s staff to correctly implement GPRA.\n\n\n1.\t   SSA lacks sufficient performance measure process documentation and did\n      not retain documents to support the FY 1998 amounts\n\nGPRA requires that agencies "describe the means to be used to verify and validate\nmeasured values." Furthermore, the Office of Management and Budget (OMB) Circular\nNo. A-123, Internal Control Systems, requires that "documentation for transactions,\nmanagement controls, and other significant events must be clear and readily available\nfor examination." Finally, National Institute of Standards and Technology (NIST) Special\nPublication 800-18, 5.MA.7, requires that system documentation be maintained as part\nof a formalized security and operational procedures record. Therefore, agencies must\nestablish a clear methodology for verifying performance measure values, and retain the\nappropriate documentation to enable an audit of their performance measure values\nbased on the methodology. Although this requirement was not effective for the FY 1998\nAccountability Report, it is effective beginning in FY 1999.\n\nWhile general policies and procedures exist for all documents produced at SSA (as\nfound in the SSA Administrative Instructions Manual System/Operational and\nAdministrative Record Schedules), SSA does not have formal policies and procedures\nin place regarding the retention of performance measure documentation. During\ntesting, we noted that SSA lacked sufficient documentation regarding the processes\nsurrounding the accumulation and generation of performance indicator data.\nFurthermore, SSA could not consistently provide the documentation necessary to verify\ntheir performance measure values as reported in their FY 1998 Accountability Report.\n\nSpecifically, we noted that SSA was unable to provide a comprehensive process map\ndocumenting the flow of performance measure data from the change in Representative\nPayee (Rep Payee) information or the initiation of a Rep Payee accounting, through\neither the Program Center Action Control System (PCACS, the system of record for\ninternational Rep Payee events), or the Integrated Workload Management System\n(IWMS, the system of record for non-international Rep Payee events), to the\naccumulation of yearly performance measure data in the Cost Analysis System (CAS).\n\n\n\n                                           3\n\n\x0cFurthermore, neither the definition of a Representative-Payee, nor the actions that\ncomprise this count are clearly defined, and during testing we noted that few people at\nSSA could define this performance measure or describe its composition.\n\nIf SSA does not establish a methodology for verifying performance measure values and\ninstitute an adequate document retention system, they will not be in compliance with\nGPRA. Furthermore, a significant lack of documentation does not provide a proper\naudit trail to facilitate verification of the performance measures as required by GPRA.\n\nRecommendations:\nWe recommend that SSA expand the role of Office of Strategic Management (OSM)\nwith respect to performance measures or place ownership for the performance measure\nprocess and reporting within an organizational unit. In either case, data ownership\nwould still remain with the user organizations. However, an organizational unit should\nbe accountable for the overall performance measure processes and results. Their\ncharter should include the following responsibilities:\n\n\xe2\x80\xa2\t Identify and document the processes surrounding the generation and accumulation\n   of performance measure values. This would establish a clear method for verifying\n   and validating the performance measures\n\n\xe2\x80\xa2\t Establish policies and procedures surrounding the retention of performance measure\n   documentation. The documentation retained should allow for the timely verification\n   of the performance measure values, and should be maintained for at least one year\n\n\xe2\x80\xa2\t As new systems are developed, evaluate their potential impact on the accumulation\n   of performance measure data. Systems with potential impact should be designed to\n   include the means of producing a verifiable audit trail to validate the performance\n   measure results as they are defined in the Accountability Report\n\n\n2.    SSA has a number of data integrity deficiencies\n\nOMB Circular No. A-127, Financial Management Systems, requires that a Federal\nAgency\'s systems include a system of internal controls to ensure that the data used to\nproduce reports is reliable. During our FY 1999 Financial Audit, we noted a number of\ndata integrity deficiencies that result in a lack of control over both the input and\nmaintenance of data, as well as the resolution of suspense items. While an adverse\neffect upon performance measure data was not observed during our testing, this lack of\ncontrol can affect the validity and completeness of the performance measures as\nfollows:\n\n\xe2\x80\xa2\t When DACUS (Death, Alert, and Control Update System) receives death information\n   and compares it to SSA\xe2\x80\x99s NUMIDENT, MBR, SSR, and Black Lung databases\n   without a successful match, the record is posted to the DACUS exception file.\n   However, no subsequent follow-up is performed on items in this exception file to try\n\n\n                                           4\n\n\x0c   to resolve any matches that may not have been detected based on the automated\n   matching algorithm. While this data may not have a direct effect on the performance\n   measures, a noted lack of data verification in these databases indicates the\n   possibility that other data lacks integrity\n\n\xe2\x80\xa2\t SSA\xe2\x80\x99s current practice of obtaining death data does not ensure that this data is\n   entered into DACUS accurately, timely, and only once (affects the NUMIDENT,\n   MBR, and SSR). While this data may not have a direct effect on the performance\n   measures, a noted lack of data verification in these databases indicates the\n   possibility that other data lacks integrity\n\n\xe2\x80\xa2\t A comparison of the MBR, SSR, and NUMIDENT identified a large number of cases\n   where either the individual was alive and in current pay status on the MBR/SSR but\n   listed as dead on the NUMIDENT, or the corresponding records of a given individual\n   had significant differences in dates of death. While this data may not have a direct\n   effect on the performance measures, a noted lack of data verification in these\n   databases indicates the possibility that other data lacks integrity\n\n\xe2\x80\xa2\t A comparison of the MBR, SSR, and NUMIDENT identified a large number of cases\n   where the corresponding records of a given individual had significant differences in\n   dates of birth. While this data may not have a direct effect on the performance\n   measures, a noted lack of data verification in these databases indicates the\n   possibility that other data lacks integrity\n\nRecommendations:\nAs previously stated in the FY 1999 Accountability Report, we recommend the following:\n\n\xe2\x80\xa2\t SSA should develop policies and procedures for the resolution of unmatched items\n   in DACUS and establish a work group with primary responsibility for resolution. One\n   of the duties of this group should be to analyze patterns in exceptions and facilitate\n   the implementation of changes to the automated matching algorithm to make it more\n   effective\n\n\xe2\x80\xa2\t SSA should implement: 1) initiatives to reduce the amount of time required by\n   outside sources for submitting death notifications, such as the electronic death\n   certificate project currently being tested; and, 2) a method to prevent the submission\n   or receipt of duplicate information, whether submitted from the same or different\n   sources (DACUS, NUMIDENT, MBR, SSR)\n\n\xe2\x80\xa2\t With the completion of the Year 2000 project in FY2000, SSA should begin\n   implementation of DACUS Release 2 (a high priority of SSA\xe2\x80\x99s five-year IRM plan), to\n   provide functionality to automatically delete NUMIDENT death postings when a\n   person is \xe2\x80\x9cresurrected\xe2\x80\x9d on the MBR and SSR (NUMIDENT, MBR, SSR)\n\n\n\n\n                                            5\n\n\x0c\xe2\x80\xa2\t SSA should firm up plans to implement the ICDB R2 functionality for the SSI system\n   (SSR) to provide updated (substantiated) date of birth information to the NUMIDENT\n   (NUMIDENT, MBR, SSR)\n\n\n\n\n3.       SSA\'s system environment has security deficiencies\n\nWe noted in our FY 1999 Financial Audit that SSA\xe2\x80\x99s systems environment remains\nthreatened by weaknesses in several components of its information protection internal\ncontrol structure. Because disclosure of detailed information about these weaknesses\nmight further compromise controls, we are providing no further details here. Instead,\nthe specifics are presented in a separate, limited-distribution management letter, dated\nNovember 18, 1999. The general areas where weaknesses were noted are:\n\n\xe2\x80\xa2\t The entity-wide security program and associated weaknesses in developing,\n   implementing and monitoring local area network (LAN) and distributed systems\n   security;\n\n\xe2\x80\xa2    SSA\xe2\x80\x99s mainframe computer security and operating system configuration;\n\n\xe2\x80\xa2    Physical access controls at non-headquarter locations; and\n\n\xe2\x80\xa2\t Certification and accreditation of certain general support and major application\n   systems.\n\nUntil corrected, these weaknesses will continue to increase the risks of unauthorized\naccess to, and modification or disclosure of, sensitive SSA information. While these\nweaknesses do not directly affect the performance measures, a risk still exists.\nUnauthorized access to sensitive data can result in the loss of data associated with\nSSA\xe2\x80\x99s enumeration, earnings, retirement, and disability processes and programs, thus\naffecting all performance measures.\n\nRecommendations:\nAs previously reported in the FY 1998 Accountability Report, we recommend that SSA\naccelerate and build on its progress to enhance information protection by further\nstrengthening its entity-wide security as it relates to implementation of physical and\ntechnical computer security mechanisms and controls throughout the organization. In\ngeneral, we recommend that SSA:\n\n\xe2\x80\xa2    Reevaluate its overall organization-wide security architecture;\n\n\xe2\x80\xa2\t Reassess the security roles and responsibilities throughout the organization\xe2\x80\x99s central\n   and regional office components;\n\n\n\n                                              6\n\n\x0c\xe2\x80\xa2\t Assure that the appropriate level of trained resources are in place to develop,\n   implement and monitor the SSA security program;\n\n\xe2\x80\xa2\t Enhance and institutionalize an entity-wide security program that facilitates\n   strengthening of LAN and distributed systems\xe2\x80\x99 security;\n\n\xe2\x80\xa2    Review and certify system access for all users;\n\n\xe2\x80\xa2\t Enhance procedures for removing system access when employees are transferred\n   or leave the agency;\n\n\xe2\x80\xa2    Decrease vulnerabilities in the mainframe operating system configuration;\n\n\xe2\x80\xa2    Implement the mainframe monitoring process;\n\n\xe2\x80\xa2    Finalize accreditation and certification of systems;\n\n\xe2\x80\xa2\t Develop and implement an ongoing entity-wide information security compliance\n   program; and\n\n\xe2\x80\xa2    Strengthen physical access controls at non-headquarters sites.\n\nMore specific recommendations are included in a separate, limited-distribution\nmanagement letter, dated November 18, 1999.\n\n\n4.      This performance measure could better reflect agency performance\n\nGPRA requires Federal agencies to "establish performance indicators to be used in\nmeasuring or assessing the relevant outputs, service levels, and outcomes of each\nprogram activity." Accordingly, the performance measures used should clearly\nrepresent the outcome of the related performance goal. While GPRA-based metrics are\nintended as external performance measurement tools, this must be balances by an\norganization\'s ability to measure and improve its own performance from within. For\nPerformance Measure #5, numerous activities are included in one count. The count\nincludes selection of a representative payee (nonselects are also included in the count),\nchanges of payees, Representative Payee accountings, investigations of\nRepresentative Payees, suspension of Representative Payees and change of\ninformation for Representative Payee. The Representative Payee accounting process\nincludes accounting for Title II and Title XVI, as well as accounting for Representative\nPayees who live abroad.\n\nAccording to SSA performance planning documents, the objective of the measure is to\ncombat fraudulent actions on the part of Representative Payees. To accomplish that,\nthe measure looks at the total number of Representative Payee actions that occur within\na year to determine whether SSA is monitoring the actions associated with\n\n\n                                               7\n\n\x0cRepresentative Payees appropriately. While the measure might render a rough\nindication of the level of activity directed toward Representative Payees, the results of\nthe measure are ambiguous because the inputs are obtained from such diverse\nactivities.\n\nThere are two interrelated reasons for this performance measure\'s ambiguity. First, this\nmetric is actually a workload input, which we acknowledge to be a generally useful\ncomponent of the performance planning process. However, in this case, the level of\neffort required for the various types of work covered by this count vary greatly. For\nexample, the cost of processing a Representative Payee application is understandably\nsignificantly different than the cost of performing an annual accounting of a\nRepresentative Payee. Second, SSA must be able to gauge improvement for this\nmeasure. However, this performance measure tracks a wide diversity of activities,\nwhich does not facilitate the use of a single gauge for improvement.\n\nRecommendations:\nWe recommend that SSA divide this performance measure into two separate metrics:\n(1) Representative Payee Changes, and (2) Representative Payee Accounting. This\nwould result in two groupings of activities that would be more homogenous with respect\nto cost and/or resource requirements. It would also be straightforward to implement\nsince the required data is already obtained and stored in the CAS system.\n\n\n5.\t    GPRA documents prepared for external evaluation of SSA performance\n       could better document the sources of the performance measures\n\nSince FY 1999, OMB circular A-11, Preparation and Submission of Strategic Plans,\nAnnual Performance Plans, and Annual Program Performance Reports, states that "the\nannual plan must include an identification of the means the agency will use to verify and\nvalidate the measured performance values." This suggests that an agency should detail\nthe source of performance data. SSA\'s documents prepared for external reporting,\nincluding the 1997-2002 Strategic Plan, the FY 2000 Annual Performance Plan, and the\nFY 1998 Annual Accountability Report, could better document the SSA sources used to\nobtain the performance measures we evaluated.\n\nIn the case of three performance measures, the FY 2000 Annual Performance Plan, the\nmost recent document at the time of this evaluation, does list a data source for\nPerformance Measure #1 as "The End-of-Line Processing Report," a data source for\nPerformance Measure #3 as "The Title XVI Processing Time System," and a data\nsource for Performance Measure #8 as the "Earnings Posted Overall Cross Total/Year\nto Date System (EPOXY)." However, the external stakeholder is not told of the origin of\nthese documents or of the underlying processes and programmatic systems that\nproduce the reported metrics. Furthermore, the sources of the other six measures are\nnot clearly indicated.\n\nAll nine metrics are referred to in the SSA documentation as GPRA indicators. As a\nresult, OMB Circular A-11, Section 220.12, requires that they be documented. By\n\n\n                                             8\n\n\x0cimproving the description of the sources, SSA would enhance the credibility of the\nunderlying data used to formulate each performance measure.\n\nRecommendation:\nWe recommend that SSA develop clear and concise descriptions of each performance\nmeasure\'s source. As specifically recommended by OMB Circular A-11, these\ndescriptions should include:\n\n\xe2\x80\xa2\t The current existence of relevant baseline data, including the time-span covered by\n   trend data;\n\xe2\x80\xa2 The expected use of existing agency systems in the collection and reporting of data;\n\xe2\x80\xa2 The source of the measured data;\n\xe2\x80\xa2\t Any expected reliance on an external source(s) for data, and identification of the\n   source(s); and\n\xe2\x80\xa2\t Any changes or improvements being made to existing data collection and reporting\n   systems or processes to modify, improve, or expand their capability.\n\n\n6.\t   A component was inadvertently omitted when calculating the total of one of\n      the performance measures\n\nOMB Circular No. A-127, Financial Management Systems, requires that an Agency\'s\ninformation systems (for both financial and performance measure information) include a\nsystem of internal controls to ensure that "reliable data are obtained, maintained, and\ndisclosed in reports," and that the internal controls "be applied to all system inputs,\nprocessing, and outputs." During our testing, we noted that the number reported for\nInternational Representative Payee accountings was inadvertently omitted in the total\nnumber of Representative Payee Actions reported in the FY 1998 Accountability Report.\nThe total number of Representative Payee Actions is manually calculated, but the\nprocess is not reviewed to ensure accuracy. A lack of adequate control over the\nprocess caused the total number of Representative Payee Actions to be understated in\nthe FY 1998 Accountability Report. Without adequate controls in place to ensure all\nrelevant amounts are included in the performance measure counts, SSA could misstate\nthe total counts as they appear in the Accountability Report.\n\nRecommendations:\nWe recommend that SSA develop and implement a review process for the manual\ncalculation of the annual Representative Payee Action total count.\n\n\n7.    CAS procedural and systems documentation have not been updated\n\n\nOMB Circular A-127, Financial Management Systems, requires that all system\n"documentation (software, system, operations, user manuals, operating procedures,\netc.) shall be kept up- to-date" and that "system user documentation shall be in\n\n\n                                           9\n\n\x0csufficient detail to permit a person, knowledgeable of the agency\'s programs and of\nsystems generally, to obtain a comprehensive understanding of the entire operation of\neach system. Technical systems documentation such as requirements documents,\nsystems specifications and operating instructions shall be adequate to enable technical\npersonnel to operate the system in an effective and efficient manner."\n\nDuring our FY 1999 Financial Audit testing, we noted that the procedural and systems\ndocumentation for CAS was not current, with the last update occurring in FY 1995.\nSince this last update, two major changes have occurred: (1) a reorganization that\ncombined functions of the former Cost Analysis Branch and the former Budget Systems\nBranch into the Division of Cost Analysis (DCA), and (2) migration of CAS to the\nNational Computer Center mainframe computer system. Thus, out-of-date\ndocumentation could result in a situation where new and/or existing DCA employees do\nnot have adequate reference material to assist them in the timely and successful\ncompletion of their job tasks/responsibilities. If SSA does not use CAS successfully, all\nperformance measure indicators accumulated using CAS (including #5) could be\naffected. Data relating to the relevant performance measures may not be accumulated\ncorrectly or completely. It should be noted that SSA is in the process of replacing CAS\npiecemeal. As segments are replaced, SSA has obtained current systems\ndocumentation (but not procedural documentation).\n\nRecommendations:\nWe recommend that DCA explore alternatives for acquiring the resources needed to\nupdate the existing CAS procedural and systems documentation, and to obtain\nprocedural documentation for the replacement systems.\n\n\n8.     SSA has systems design and documentation deficiencies\n\nDuring our FY 1999 Financial Audit testing, we noted specific systems design and\ndocumentation deficiencies that indicate a lack of control over both the system design\nand documentation. While these deficiencies do not have a direct effect on the\nperformance measures, a risk still exists. This lack of control affects the ability of SSA\nto effectively design, implement, and use their computer systems. If SSA is not\neffectively using their computer systems to accumulate and calculate performance\nmeasures, the resulting performance measure amounts could be affected. Our specific\nfindings were:\n\n\xe2\x80\xa2\t Full documentation of program changes evidencing user approval and testing was\n   not always maintained. In addition, user initiation of changes to production\n   programs could not be confirmed due to the absence of documentation indicating\n   who initiated the changes;\n\n\xe2\x80\xa2\t Software Engineering Technology (SET) did not establish different requirements for\n   major development projects, routine maintenance, and cyclical changes; and\n\n\n\n\n                                            10\n\n\x0c\xe2\x80\xa2\t SSA\xe2\x80\x99s System Security Handbook (Chapter 10 on Systems Access Security) does\n   not list all of the acceptable forms for granting access to SSA\xe2\x80\x99s computerized\n   systems and data.\n\nRecommendations:\nAs previously stated in the FY 1999 Accountability Report, we recommend the following:\n\n\xe2\x80\xa2\t SSA should complete implementation of it\'s Validation Transaction Tracking System\n   (VTTS) and continue with its plan to automate the process for submitting System\n   Release Certification (SRC) forms\n\n\xe2\x80\xa2\t SSA should complete implementation of Platinum\'s Process Engineering Tool (PET)\n   and institutionalize Carnegie Mellon\'s Software Engineering Institute\'s Capability\n   Maturity Model (CMM) methodology\n\n\xe2\x80\xa2\t SSA should update its System Security Handbook (Chapter 10 on Systems Access\n   Security) to address all of the acceptable forms for granting access to SSA\xe2\x80\x99s\n   computer systems and data\n\n\n9.      SSA has a number of deficiencies in their systems contingency plan\n\nAs a result of the FY 1999 financial audit, we noted a number of deficiencies which, in\nour view, would impair SSA\xe2\x80\x99s ability to respond effectively to a disruption in business\noperations as a result of a disaster or other long-term crisis. Although SSA has\nperformed a Business Impact Analysis, its list of critical workloads is still being finalized,\nand recovery time objectives (RTOs) have not yet been established for each of the\ncritical workloads. Consequently, SSA has not established recovery priorities for all of\nits systems in the mainframe and distributed environments. Further, the plan for\nrecovering the critical workloads still needs to be fully tested. Finally, SSA has not fully\nupdated the contingency plans for the headquarters site or finalized and tested\ncontingency plans for non-headquarters sites.\n\nWhile deficiencies in a contingency plan does not directly affect performance measures,\na risk still exists. A failure to respond effectively to a disruption through proven recovery\nprocedures could affect both the quality and quantity of data used in the accumulation\nand calculation of all performance measures.\n\nRecommendations:\nAs previously stated in the FY 1999 Accountability Report, we recommend that SSA:\n\n\xe2\x80\xa2\t Finalize the list of critical SSA workloads and fully test the plans for recovering each\n   workload;\n\n\xe2\x80\xa2    Establish RTOs for each critical workload;\n\n\n\n                                              11\n\n\x0c\xe2\x80\xa2\t Establish recovery priorities for all systems and applications (mainframe and\n   distributed);\n\n\xe2\x80\xa2     Update contingency plans for headquarters;\n\n\xe2\x80\xa2\t Finalize and test SSA\xe2\x80\x99s ultimate strategy for implementing and maintaining alternate\n   processing facilities; and\n\n\xe2\x80\xa2     Finalize and test contingency plans for non-headquarters sites.\n\n\n\nOTHER MATTERS\nAs part of this evaluation, PwC was tasked to evaluate the appropriateness of the\nperformance measures. In this section, we discuss the relevance of each performance\nmeasure with respect to GPRA and look to the future by evaluating SSA\'s readiness to\nincorporate the final phases of GPRA into their processes.\n\n1.\t      Documents prepared for external evaluation of SSA performance could be\n         improved to clearly explain the intended uses of the performance measures\n         to comply with future GPRA requirements\n\nThe United States General Accounting Office (GAO) encourages agencies to "include\nexplanatory information on the goals and measures." 1 In addition, best practices in\nperformance measurement dictate that agencies should provide external stakeholders\nwith such information. Furthermore, it can be expected that agencies will be required to\nprovide such information in the near future as GPRA continues to evolve.\n\nOver the past few years, SSA has continuously improved their performance planning\ndocuments by adding in-depth discussions on their strategies and key performance\nindicators. With respect to the performance metrics studied as part of this evaluation,\nhowever, the 1997-2002 Strategic Plan, the FY 2000 Performance Plan, and the FY\n1998 Annual Accountability Report do not clearly explain the intended purpose of each\nperformance measure with respect to evaluating overall SSA performance. In each\ncase, the documents clearly associate each metric with the strategic goals and\nobjectives that they support, but they do not explain to the external stakeholder exactly\nhow they are applied.\n\nDescribing the use of these performance measures would help to clarify the overall\nobjectives of the SSA strategic planning process and would clarify how the subject\nmetrics fit into that process.\n\n\n\n1\n    GAO/GGD/AIMD-99-69, "Agency Performance Plans"\n\n\n                                             12\n\n\x0cIn a July 1999 report2, the General Accounting Office (GAO) rated Fiscal Year 2000\nAnnual Performance Plans of all federal agencies in three key elements of \xe2\x80\x9cinformative\nperformance plans:\xe2\x80\x9d\n\n1. Clear pictures of intended performance\n2. Specific discussion of strategies and resources\n3. Confidence that performance information will be credible\n\nAlthough SSA was considered relatively strong as compared to most other agencies,\ntheir weakest ratings were received for the categories of "Degree of Confidence that\nPerformance Information will be Credible" and "Specificity of Strategic Resources." Our\nobservations were consistent with these findings (see Item #5 in previous section,\nResults of Engagement). However, if SSA develops clear and concise descriptions of\neach performance measure\'s source and its intended strategic use, we believe they can\nbolster their future GAO ratings relative to informative performance plans.\n\n\n\n\n2.\t      The nine performance measures are not explicit performance budgeting\n         metrics, but are nonetheless appropriate internal performance indicators\n         and are useful to the SSA strategic planning process\n\nAn important intent of GPRA in the future is to facilitate performance budgeting, which\nwill allow Federal agencies to allocate resources in an effort to achieve "optimal" results.\nConsequently, agencies must develop measures that will help external stakeholders\nsuch as Congress to match resources to performance.\n\nUnder GPRA requirements, an agency must rely on two distinctive types of measures:\n\n         Outcome performance measures. These measures are intended to gauge the\n         effectiveness of the organization at fulfilling its strategic goals. Often, however,\n         these performance measures are not completely under the span of influence of\n         the organization. Consequently, while they represent good measures of the\n         accomplishment of a strategic goal, they do not reflect the success of an\n         organization in contributing to the achievement of the goal.\n\n         Workload and output performance measures.3 These measures are used to\n         gauge the level of effort required for a given activity, including characteristics\n         established as performance standards (e.g., Percent of OASI claims processed\n         by the time the first regular payment is due or within 14 days from effective filing\n         date, if later).\n\n2\n    GAO/GGD/AIMD-99-215, July 1999.\n\n3\n  The SSA documentation refers to such metrics strictly as outputs, but that is merely a matter of\n\nsemantics. In either case, they refer to a level of effort for a given activity.\n\n\n\n                                                13\n\n\x0cWhile outcome performance measures are often more accurate indicators of the\nsuccess or failure of an organization\'s strategic goals, it is workload and output\nmeasures that fall under an organization\'s span of influence. Consequently, workload\nand output measures are more often used in external reporting to support organizational\nactivities. However, these workload and output performance measures are seldom\nrelated to either outcomes or amount of resources spent processing the workload or\ncreating the output. As a result, they represent little value to external stakeholders\nmaking resource allocation decisions.\n\nIf viewed in isolation, none of the nine performance measures considered on this project\nwould suffice as explicit outcome performance measures for external stakeholders to\nuse in a resource allocation or performance budgeting oversight role. However, that is\nnot to say that these measures are not of value. In fact, they indicate to external\nstakeholders, including congressional appropriators, customers, policy makers, and the\ngeneral public, how effective SSA is at fulfilling its overall mission. More importantly,\nthey serve a useful internal purpose in the SSA performance planning process. For\nexample, many of the measures we analyzed (Performance Measures 2, 4, 5, 6, and 7)\nare workload counts, which are important for individual program managers when\nmaking management decisions.\n\n       Performance Measure #5. The SSA FY 1998 Accountability Report references\n       this metric as "Other Workloads" supporting the strategic objective "to position\n       the Agency\'s resources and processes to meet emerging workloads." This, in\n       turn, supports the strategic goal "to make SSA program management the best in\n       business, with zero tolerance for fraud and abuse." These uses are reiterated in\n       Appendix 1 of the FY 2000 Annual Performance Plan.\n\n       This measure is not particularly valuable to an external stakeholder for\n       performance budgeting because it does not relate resource utilization to outputs\n       or outcomes. However, it is clearly not intended for that purpose because the\n       SSA documentation identifies it as an output measure for workloads and it does\n       help to indicate the overall effectiveness of SSA at fulfilling its mission.\n\nTo SSA\'s credit, they have developed a number of useful performance measures in the\nspirit of GPRA and have discussed them in proper detail in the FY 2000 Performance\nPlan. 4 As we have shown, the nine performance measures covered by this project can\nnot be considered as true high-level, external measures. Nevertheless, they do appear\nto have specific uses, as discussed above. Again, SSA would benefit the external\nstakeholder by clarifying exactly what these intended uses are (see \xe2\x80\x9cOther Matters\xe2\x80\x9d item\n#1).\n\n\n\n4\n  In earlier documents, such as the FY 1998 Accountability Report, SSA presented the\nperformance measures in a manner that seemed to give each one equal weight. In the more\nrecent documents, however, SSA has placed greater emphasis on the more high-level, outcome\noriented performance measures.\n\n\n                                            14\n\n\x0c3.\t   SSA is positioned to be a leading performance-based budgeting\n      organization and to meet the future requirements of GPRA\n\nSince 1988, SSA has an established history of strategic planning, using specific\nperformance measurements. Building on this history, SSA implemented GPRA\'s\nrequirements for strategic planning, performance planning, and performance reporting.\nOne of GPRA\'s ultimate objectives is to facilitate performance budgeting, which will\nallow Federal agencies to allocate resources in an effort to achieve "optimal" results.\nConsequently, to help external stakeholders such as Congress match resources to\nperformance, agencies must eventually develop performance measures that are linked\nto resource requirements.\n\nPerformance budgeting is the analysis of performance measurement data for the\npurpose of allocating budgetary resources more effectively. Specifically, performance\nbudgeting for GPRA is complete upon the submission of multiple resource-to-result\nscenarios within one annual budget.\n\nThe final stage of GPRA implementation is the successful piloting of performance\nbudgeting at no less than five federal agencies. Currently, few federal agencies are\ncapable of acting as a performance budgeting pilot and this final stage of GPRA has\nconsequently been delayed. However, the Office of Management and Budget (OMB)\nhas recently designated SSA as one of the government-wide performance budgeting\npilot projects. Within SSA, the Continuing Disability Reviews program is the specific\nactivity covered by this designation. OMB considers the performance budgeting pilot\nprojects to be an opportunity to examine the feasibility and potential application of\nseveral approaches to performance budgeting. In this context, OMB intends to use\nperformance and resource data provided by the pilots during development of the FY\n2001 budget and to report to Congress on the results of the pilots no later than March\n31, 2001, as required by GPRA. With proper planning and preparation, SSA is uniquely\npositioned to be one of the first truly successful performance-based budgeting\norganizations.\n\nIn anticipation of the next phase of GPRA, we believe SSA needs to develop a suitable\nperformance budgetary model by combining cost accounting concepts with performance\nmeasurement methodology. A high-level description of one possible model is listed\nbelow:\n\n\xe2\x80\xa2 SSA defines a set of reporting segments that represent all of their work.\n\xe2\x80\xa2 SSA maps their performance measurements to these specific reporting segments.\n\xe2\x80\xa2\t SSA calculates person-hours associated with these reporting segments, so that all\n   personnel within SSA are accounted for in the model.\n\xe2\x80\xa2\t SSA builds the model around this data to allow for current resource to\n   workload/result analysis and future resource to workload/result forecasting.\n\nSSA could build this model at any level of detail: by resource type, resource location, or\nany other classification methodology. By linking resources to performance goals at this\n\n\n                                            15\n\n\x0clevel of detail, SSA would thus satisfy the annual performance-planning requirement for\nspecificity of strategies and resources, while striving to become the first agency to\nsuccessfully implement performance budgeting.\n\n\n\n\n                                          16\n\n\x0c                           APPENDICES\n\n\nAPPENDIX A \xe2\x80\x93 Background\n\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\n\nAPPENDIX C \xe2\x80\x93 Agency Comments\n\nAPPENDIX D \xe2\x80\x93 Performance Measure Summary Sheets\n\nAPPENDIX E \xe2\x80\x93 Performance Measure Process Maps\n\n\x0c                                                                              Appendix A\n\n                             BACKGROUND\n\nGovernment Performance and Results Act\n\nThe Government Performance and Results Act (GPRA) was enacted to increase\naccountability in the Federal agencies. Prior to GPRA, Federal agencies lacked well-\ndefined program goals and adequate feedback regarding program performance. This\nhindered Federal agencies in their efforts to increase program efficiency and\neffectiveness, and prevented them from being accountable. Furthermore, this lack of\naccountability on the part of the Federal managers prevented Congress from making\ninformed budgetary decisions. In order to increase accountability, GPRA required\nFederal agencies to develop 5-year strategic plans, annual performance plans, and\nannual performance reports.\n\n Strategic plans define an agency\'s mission in terms of their major functions and\noperations. The agency\'s goals and objectives, and how they will be achieved by the\nagency, must be included in their strategic plan. The strategic plan also describes the\nquantifiable performance measures to be used by the agency, and how they relate to\nthe agency\'s goals and objectives.\n\nAnnual performance plans establish objective, quantifiable, and measurable\nperformance goals for an agency. These plans also describe the operational processes\nand resources necessary to meet the performance goals, establish performance\nindicators to measure the relevant outcomes, and provide a basis for comparing the\noutcomes with the performance goals. The annual performance plans also provide a\nmeans to validate and verify the measured outcomes.\n\nAnnual performance reports compare the actual program performance achieved with\nthe performance goals for each performance indicator defined in the agency\'s annual\nperformance plan. These reports contain the agency\'s evaluation of their performance\nplan relative to the performance achieved during the fiscal year. If performance goals\nhave not been met, the agency must include an explanation, as well as a plan for\nachieving the performance goals in the future. Alternatively, if the agency believes the\ngoals are impractical, they would include their rationale and recommended alternatives\nin the annual performance report.\n\nSSA\'s Performance Measures\n\nThe Social Security Administration (SSA) defined five strategic goals in it\'s FY 1998-\n2002 strategic plan, Keeping the Promises:\n\n1.\t Promote valued, strong, and responsive social security programs and conduct\n    effective policy development, research, and program evaluation\n\n\n                                           B-1\n\n\x0c2. Deliver customer-responsive, world-class service\n3.\t Make SSA program management the best in the business, with zero tolerance for\n    fraud and abuse\n4. Be an employer that values and invests in each employee\n5. Strengthen public understanding of the social security programs\n\nFor each strategic goal, SSA\'s strategic plan also defined specific objectives to achieve\neach of the goals.\n\nSSA\'s FY 1998 annual GPRA performance report, published as part of their FY 1998\nAccountability Report, includes actual performance data and goals for 57 performance\nmeasures. PricewaterhouseCoopers was engaged to evaluate nine specific\nperformance indicators found in SSA\'s FY 1998 Accountability Report. The\nperformance indicators (or performance measures, as they are referred to in the\nAccountability Report) are as follows:\n\n1.\t Percent of OASI claims processed by the time the first regular payment is due or\n    within 14 days from effective filing date, if later\n2. OASI claims processed\n3. Percent of initial SSI aged claims processed within 14 days of filing\n4. SSI aged claims processed\n5. Representative payee actions\n6. SSN requests processed\n7. Annual earnings items\n8. Percent of earnings posted to individuals\xe2\x80\x99 records by September 30\n9. Percent of individuals issued SSA-Initiated PEBES as required by law\n\nDuring testing, it was noted that the nine performance measures could be defined by\nsix distinct processes. The systematic flow of information for three of the measures was\nalmost identical to the flow of information for three other measures. Furthermore, these\ngroupings match those that the OIG has selected for generating their upcoming reports.\nThe six processes are as follows:\n\n1.    RSI claims (performance measures #1 and #2)\n2.    SSI aged claims (performance measures #3 and #4)\n3.    Representative payee actions (performance measure #5)\n4.    SSN requests processed (performance measure #6)\n5.    Annual earnings items (performance measures #7 and #8)\n6.\t   Percent of individuals issued SSA-Initiated PEBES as required by law (performance\n      measure #9)\n\nThis report represents our understanding and evaluation of the representative payee\nactions process.\n\nThe representative payee process encompasses performance measure #5,\nrepresentative payee actions. Performance measure #5 includes the total number of\n\n\n\n                                           B-2\n\n\x0crepresentative payee actions performed during the fiscal year. An action can be either\na representative payee change (the selection or non-selection of a representative\npayee, the change from one representative payee to another, the change of information\nfor a representative payee, investigations of representative payees, and the suspension\nof a representative payee), or the mailing of the annual representative payee accounting\nform to an individual representative payee. The representative payee actions include\nTitle II and Title XVI actions, as well as actions for representative payees who live\nabroad. The objectives of this measure are to assist SSA in positioning their resources\nand processes to meet emerging workloads, and to aggressively deter, identify, and\nresolve fraud. These objectives relate to SSA\'s third strategic goal, "to make SSA\nprogram management the best in the business, with zero tolerance for fraud and\nabuse".\n\nThis performance measure is presented as a workload count, and includes every\nrepresentative payee action taken during the fiscal year. The FY 1998 performance\ngoal was 6,983,800 representative payee actions, and SSA reported the performance\nresult as 7,063,595 representative payee actions.\n\nSSA is currently developing a Title II Redesign, which will impact the way Title II\nrepresentative payee actions will be processed through SSA\'s systems.\n\nPerformance measure #5 is obtained by combining counts from a myriad of systems\nand processes. The flow of data for the Representative Payee Process is depicted in\nFigure 3, and the process is shown in greater detail in Appendix E.\n\n\n\n\n                                            B-3\n\n\x0c                                   Representative Payee Process\n                                                                                Post-Entitlement\n                 Representative                                                                      Integrated Work\n     Title II                      Work Management                                Management\n                 Payee System                           WMS Database                                  Measurement                GETDOWR             B\n    Change                          System (WMS)                               Information (PEMI)\n                     (RPS)                                                                           System (IWMS)\n                                                                                     System\n\n\n\n                                                        Post-Entitlement\n                 Representative                                                 Integrated Work\n    Title XVI                      Centrally Located      Management\n                 Payee System                                                    Measurement           GETDOWR                   B\n    Change                            Traffic File     Information (PEMI)\n                     (RPS)                                                      System (IWMS)\n                                                             System\n\n\n\n                                                       SSA-623 or 6230         CICS Rep-Payee                              Post-Entitlement\n     Title II                                              Form to             Accounting Screen                             Management\n                   CSRETAP           ROBOT File                                                      Transaction File                                A\n   Accounting                                            Rep-Payee               (Field Office)                           Information (PEMI)\n                                                                                 & ROBOT File                                   System\n\n                                                                      to WBDOC\n                                                          to WBDOC,\n                                                           then PC8\n                                                                                                                            Integrated Work\n                                                                               WBDOC Scanner\n                                                                                                     WB MI Report            Measurement             B\n                                                                               or CICS Screen\n                                                                                                                            System (IWMS)\n                                                               C\n\n                                                                      to WBDOC\n\n                                                       SSA-623 or 6230                                                     Post-Entitlement\n                      SSI            Supplemental          Form to               CICS SSI Data\n    Title XVI                                                                                                                Management\n                Redetermination     Security Record                               Input Screen       Transaction File                                A\n   Accounting                                            Rep-Payee                                                        Information (PEMI)\n                  Merge Run             (SSR)                                     (Field Office)\n                                                                                                                                System\n\n\n\n\n    Foreign      Program Center                                    Integrated Work                                                      Accountability\n                                                                                                                 Cost Analysis\n     Title II     Action Control   TSO GETPCACS          A          Measurement            GETDOWR                                         Report\n                                                                                                                 System (CAS)\n    Changes     System (PCACS)                                     System (IWMS)\n\n\n\n                                                                                                         B\n                       C\n\n\n\n\n                                                                   Figure 3\n\nThere are two major types of actions: (1) Representative Payee Changes, which\n\nincludes applications for new Representative Payees, change of Representative Payee,\n\naccount information (address or phone number) changes, and investigations, and (2)\n\nRepresentative Payee Accounting, which is the process of verifying that Representative\n\nPayees are fulfilling their obligations. The Cost Analysis System (CAS) combines seven\n\ncomponents to obtain the performance measure. The seven components are derived\n\nas follows:\n\n\nDomestic Title II Representative Payee Changes\n\nA Field Office Claims Representative can initiate Representative Payees Changes for a\n\nTitle II account by updating RPS (Representative-Payee System) with the RSEL CICS\n\nscreen. RPS then passes the transactional data to WMS, which stores relevant data in\n\nthe WMS database. The PEMI (Post-Entitlement Management Information) system\n\nreads the transactional data in the WMS database and calculates summary counts.\n\nPEMI then transfers the summary counts to IWMS and stores them as DOWR category\n\n15. OFPO uses the GETDOWR module, which is part of the SSAMIS system, to obtain\nDOWR 15 and subsequently enters it in the Cost Analysis System (CAS).\n\n\n                                                                       B-4\n\n\x0cTitle XVI Representative Payee Changes\n\nA Field Office Claims Representative can initiate Representative Payees Changes for a\n\nTitle XVI account by updating RPS (Representative-Payee System) with the RSEL\n\nCICS screen. The CICS screen creates a record in a centrally located traffic file. The\n\nPEMI (Post-Entitlement Management Information) system reads the transactional data\n\nfrom the traffic file and calculates relevant summary counts. PEMI then transfers the\n\nsummary counts to IWMS and stores them as DOWR category 24. OFPO uses the\n\nGETDOWR to obtain DOWR 24 and subsequently enters it in the Cost Analysis System\n\n(CAS).\n\n\nInternational Title II Representative Payee Changes\nMany Title II beneficiaries that live abroad have a Representative Payee. Program\nService Center 8, which is located in Baltimore, handles Representative Payee\nChanges and manages the work using the Program Center Action Control System\n(PCACS). A Direct Service Employee (DSE) reviews each specific case and\ndetermines the action(s) required. These actions are designated using TEOL (Type of\nEvent Level) Codes. The DSE then generates a PCACS Action Control Record (ACR)\nand routes the package to the proper work station(s). The OIO Technicians use\nrelevant object programs to perform the required tasks. When the case is complete, the\nOIO Technician clears the ACR from PCACS and PCACS subsequently increments the\ncumulative total work counts for the corresponding TOEL Codes. OFPO uses TSO\nGETPCACS to obtain counts from PCACS using the relevant TOEL Codes. OFPO then\nenters these values into CAS.\n\nDomestic Title II Representative Payee Accounting\n\nThe domestic Title II Representative Payee Accounting process is initiated when\n\nCSRETAP reads the MBR (Master Benefit Record) and writes the universe of\n\nRepresentative Payees to a file. The Representative Payee Accounting System then\n\nreads this file and eliminates those individuals that are (a) both Title II and XVI, (b)\n\naccounted for via onsite reviews, (c) self-payees, and (d) receiving foreign payments\n\n(i.e., non-domestic). The system then writes the eligible Representative Payees to the\n\nROBOT file and sends the relevant information to a vendor for printing and distribution\n\nof the SSA-623 and SSA-6230 forms.\n\n\nMost of the Representative Payees fill out the form and return it to the Wilkes-Barre\nData Operations Center (WBDOC). That portion of the final count is discussed below\n(see "Representative Payee Accounting Cleared at WBDOC"). However, there are two\nscenarios in which the Field Offices clear the accounting forms. In the first scenario, a\nRepresentative Payee desires help completing the form and visits the local Field Office.\nIn the second scenario, the Representative Payee does not respond to the first or\nsecond notification. In this case, the WBDOC sends the Field Office a special alert and\nthey attempt to contact the Representative Payee and schedule him/her for a visit. In\nboth cases, the Field Office technician helps the Representative Payee fill out the SSA-\n623 or SSA-6230 form and clears the Representative Payee using the CICS\nRepresentative Payee Accounting screen. The CICS screen subsequently places an\nindicator in the ROBOT file, and the Representative Payee is cleared from the system\n\n\n\n                                           B-5\n\n\x0cduring the next nightly batch run. The system also writes information regarding the\n\ncompleted transactions to a file that is sent electronically to OIM. The Post-Entitlement\n\nManagement Information (PEMI) system subsequently reads the transactional data,\n\ncalculates summary counts, and transfers the summary counts to IWMS. IWMS stores\n\nthe relevant summary count as DOWR Category 6. OFPO uses the GETDOWR\n\nmodule to obtain DOWR 6 and subsequently enters it in the Cost Analysis System\n\n(CAS).\n\n\nDomestic Title II Representative Payee Accounting includes those cases where a\n\nbeneficiary lives in a foreign country, but the corresponding Representative Payee lives\n\nin the United States.\n\n\nTitle XVI Representative Payee Accounting\n\nThe domestic Title XVI Representative Payee Accounting process is initiated when the\n\nSSI Redetermination Merge Run selects Representative Payees to target for accounting\n\nand creates an "AR" diary in each beneficiary\'s SSR. The Merge Run also formats print\n\nrecords and writes them to a file. OTSO subsequently places the print files on a tape\n\ncartridge and sends them to a vendor for printing and mailing of the SSA-623 form.\n\n\nMost of the Representative Payees fill out the form and return it to the Wilkes-Barre\n\nData Operations Center (WBDOC). That portion of the final count is discussed below\n\n(see "Representative Payee Accounting Cleared at WBDOC"). As with Title II, there are\n\ntwo scenarios in which the Field Offices clear the accounting forms. The first case is\n\nwhen the Representative Payee desires help completing the form and visits the local\n\nField Office. The second case occurs when the Representative Payee does not\n\nrespond to the first or second notification and the Field Office subsequently attempts to\n\ncontact the Representative Payee and schedule him/her for a visit.\n\n\nIn either case, the Field Office technician helps the Representative Payee fill out the\n\nSSA-623 form and clears the Representative Payee using the CICS SSI Data Input\n\nScreen. At this time, the CICS screen creates a transaction record in a centrally located\n\ntraffic file. The PEMI (Post-Entitlement Management Information) system reads the\n\ntransactional data from the traffic file and calculates relevant summary counts. PEMI\n\nthen transfers the summary counts to IWMS and stores them as DOWR Category 7.\n\nOFPO uses the GETDOWR to obtain DOWR 7 and subsequently enters it in the Cost\n\nAnalysis System (CAS).\n\n\nInternational Title II Representative Payee Accounting\n\nThe Office of International Operations (OIO) has jurisdiction over all cases where a\n\nbeneficiary lives in a foreign country, even if a corresponding Representative-Payee\n\nlives in the United States. The processing of such forms is included in the total count.\n\n\nThe forms are generated, printed and mailed along with the other domestic Title II\nRepresentative Payee accounting forms. Once the forms reach Wilkes-Barre, they are\nscreened along with the domestic forms. Those that appear to require no additional\nwork are either scanned or cleared with a CICS screen, and are included with the other\n\n\n\n                                           B-6\n\n\x0cWBDOC counts, as discussed below (see "Representative Payee Accounting Cleared\n\nat WBDOC"). However, some of the forms require additional work and are\n\nsubsequently sent to PC 8 in Baltimore. A Direct Service Employee (DSE) reviews\n\neach specific case and determines the action(s) required. These actions are\n\ndesignated using TEOL (Type of Event Level) Codes. The DSE then generates a\n\nPCACS Action Control Record (ACR) and routes the package to the proper work\n\nstation(s). The OIO Technicians use relevant object programs to perform the required\n\ntasks. When the case is complete, the OIO Technician clears the ACR from PCACS\n\nand PCACS subsequently increments the cumulative total work counts for the\n\ncorresponding TOEL Codes. OFPO uses TSO GETPCACS to obtain counts from\n\nPCACS using the relevant TOEL Codes. OFPO then enters these values into CAS.\n\n\nRepresentative Payee Accounting Cleared at WBDOC\n\nMost of the domestic Title II and Title XVI Representative Payee Accounting Forms and\n\nOIO Foreign Enforcement Forms are sent to the WBDOC and cleared using either the\n\nscanner or a CICS screen. The total electronic counts for the forms cleared at WBDOC\n\nare then reported to OIM via the WB MI report. OIM stores the counts in IWMS. OFPO\n\nsubsequently obtains the total yearly count from IWMS and enters the value in CAS.\n\n\nTotal Count\n\nThe Cost Analysis System (CAS) sums the components discussed above to obtain PM\n\n#5. OFPO obtains PM #5 from CAS for inclusion in the Accountability Report.\n\n\n\n\n\n                                         B-7\n\n\x0c                                                                               Appendix B\n\n               SCOPE AND METHODOLOGY\n\nThe SSA OIG contracted PricewaterhouseCoopers to evaluate nine of SSA\'s FY 1998\nperformance indicators established to comply with GPRA. This report reflects our\nunderstanding and evaluation of the representative payee actions process, which\nincludes performance measure #5 (Representative payee actions). Testing was\nperformed from June 9, 1999 through October 1, 1999, as follows:\n\n1.\t Gain an understanding and document the sources from which data is collected to\n    report on the specified performance measures;\n2.\t Identify and test critical controls (both EDP and manual) of systems from which the\n    specified performance data is generated;\n3.\t Test the accuracy of the underlying data for each of the specified performance\n    measures;\n4. Recalculate each specific measure to ascertain its mathematical accuracy; and\n5.\t Evaluate the impact of any relevant findings from prior and current audits with\n    respect to SSA\'s ability to meet performance measure objectives; and\n6.\t Identify findings relative to the above procedures and make suggestions for\n    improvement.\n\nAs a result of our reliance on prior and current SSA audits, our report contains the\nresults of internal control testing and system control deficiencies.\n\nLimitations\nOur engagement was limited to testing at SSA headquarter. Furthermore, when\nrecalculating the specific performance measures, we used FY 1998 data except when\nSSA was unable to provide all the documentation necessary to fully evaluate the FY\n1998 performance measure amounts reported in the Accountability Report. In those\ncases, FY 1999 data was evaluated.\n\nThese procedures were performed in accordance with the AICPA\'s Statement on\nStandards for Consulting Services, and is consistent with Government Auditing\nStandards (Yellow Book, 1994 version).\n\n\n1.\t    Gain an understanding and document the sources from which data is\n       collected to report on the specified performance measures\n\nWe obtained an understanding of the underlying processes and operating procedures\nsurrounding the generation of performance measures through interviews and meetings\nwith the appropriate SSA personnel and by reviewing the following documentation:\n\n\n\n\n                                           B-1\n\n\x0ci Policies and procedures manual for procedures surrounding the processing,\n  accumulating, and reporting of the data for the nine performance measures;\ni PwC system walk-through descriptions;\ni SSA-provided system descriptions;\ni Internal or external reports on the nine performance measures (including OIG, GAO,\n  etc.); and,\ni Review of any of the nine performance measures performed in conjunction with prior\n  financial audits by PricewaterhouseCoopers.\n\n\n2.      Identify and test critical controls (both EDP and manual) of systems from\n        which the specified performance data is generated\n\nBased on the understanding we obtained above in Methodology #1, we identified key\ncontrols for the nine performance measures. For each of the nine performance\nmeasures, the controls surrounding the following were tested (Note: in cases where\nPricewaterhouseCoopers tested key controls as part of prior financial audits, findings\nwere updated, and testing was not reperformed):\n\nPerformance Measure #5: Representative payee actions\n\n\xe2\x80\xa2    Representative Payee Accounting forms received at WBDOC and processed via\n     CICS are removed from ROBOT file\n\xe2\x80\xa2    Representative Payee Accounting forms received at WBDOC and processed via the\n     scanner are removed from ROBOT file\n\xe2\x80\xa2    Title II Representative Payee Accounting actions processed via a Field Office are\n     transferred to the PEMI application and ultimately into IWMS\n\xe2\x80\xa2    Title XVI Representative Payee accounting actions processed via a Field Office are\n     transferred to the PEMI application and ultimately into IWMS\n\xe2\x80\xa2    Title II and Title XVI Representative Payee Changes processed via a Field Office are\n     transferred to the PEMI application and ultimately into IWMS\n\xe2\x80\xa2    Title II and Title XVI Representative Payee Accounting transmission of WB MI\n     Report from WBDOC to OIM\n\xe2\x80\xa2    Representative Payee International Accounting actions transfer into CAS\n\xe2\x80\xa2    Representative Payee International Changes actions transfer into CAS\n\xe2\x80\xa2    Applicable application controls\n\xe2\x80\xa2    Applicable general computer controls\n\xe2\x80\xa2    Current procedural and systems documentation for CAS\n\nAll Performance Measures\n\n\xe2\x80\xa2    Formation of specific systems requirements for different major development projects,\n     routine maintenance, and cyclical changes\n\xe2\x80\xa2    Information protection control structure (system security)\n\xe2\x80\xa2    SSA\'s systemic contingency plan\n\n\n                                           B-2\n\x0c\xe2\x80\xa2    Documentation of program changes evidencing user approval and testing\n\xe2\x80\xa2    SSA\'s System Security Handbook\n\n\n3.      Test the accuracy of the underlying data for each of the specified\n        performance measures\n\nBased on the understanding we obtained above in Methodology #1, we identified key\nfiles, databases, and reports for the nine performance measures. To ensure data\navailability and to evaluate the data, Computer Assisted Audit Techniques (CAATs)\ntesting was performed for each of the nine performance measures as follows:\n\nPerformance Measure #5: Representative payee actions\n\n\xe2\x80\xa2    Compared the before and after ROBOT file to ensure file was updated;\n\xe2\x80\xa2    Compared CSREPRET.R0909 file to ROBOT.G1574 file to ensure ROBOT file was\n     updated;\n\xe2\x80\xa2    TITLE II REPRESENTATIVE PAYEE ACCOUNTING - Compared the PEMI file with\n     the IWMS file to ensure the two record counts were equal;\n\xe2\x80\xa2    TITLE XVI REPRESENTATIVE PAYEE ACCOUNTING - Compared the PEMI file\n     with the IWMS file to ensure the two record counts were equal; and\n\xe2\x80\xa2    TITLE II & XVI REPRESENTATIVE PAYEE CHANGES - Compared the PEMI file\n     with the IWMS file to ensure the two record counts were equal.\n\n\n4.      Recalculate each specific measure to ascertain its mathematical accuracy\n\nBased on the understanding we obtained above in Methodology #1, we requested and\nreviewed documentation to ensure the mathematical accuracy of the nine performance\nmeasures as follows:\n\nPerformance Measure #5: Representative payee actions:\n\n\xe2\x80\xa2    Traced the performance measure value per the FY 1998 CAS Report to the number\n     reported in the FY 1998 Accountability Report; and\n\xe2\x80\xa2    Traced the performance measure IWMS value to the values in the FY 1998 CAS\n     Report.\n\n\n5.      Provide OIG management with a written report identifying findings relative\n        to the above procedures and with suggestions for improvement\n\nBased upon the evaluation performed, as outlined in the four above methodologies,\nPricewaterhouseCoopers has prepared a written report detailing the internal control\ndeficiencies in SSA\'s performance measurement systems, as well as inaccuracies in\nSSA data used to report on the nine selected performance measures.\n\n\n                                         B-3\n\x0cPricewaterhouseCoopers has also provided recommendations to address the system\ndeficiencies and data inaccuracies noted during the performance of the agreed upon\nprocedures.\n\n\n6.      Evaluate the impact of any relevant findings from prior and current audits\n        with respect to SSA\'s ability to meet performance measure objectives\n\n\nPricewaterhouseCoopers has noted five relevant findings from prior and current audits\nthat may impact SSA\'s ability to meet performance measure objectives. All findings\nwere noted in our FY 1999 financial audit. The relevant findings impact all performance\nmeasures, and are as follows:\n\n\xe2\x80\xa2    SSA has a number of data integrity deficiencies\n\xe2\x80\xa2    SSA\'s system environment has security deficiencies\n\xe2\x80\xa2    CAS procedural and systems documentation have not been updated\n\xe2\x80\xa2    SSA has systems design and documentation deficiencies\n\xe2\x80\xa2    SSA has a number of deficiencies in their systems contingency plan\n\n\n\n\n                                          B-4\n\x0c                                                                            Appendix C\n\n                      AGENCY COMMENTS\n\nJanuary 28, 2000\n\n\nJames G. Huse, Jr.\nInspector General\n\nWilliam A. Halter\nDeputy Commissioner\n\n\nOffice of the Inspector General (OIG) Draft Report, "OIG Performance Measure Review:\nSummary of PricewaterhouseCoopers (PwC) LLP Review of SSA\xe2\x80\x99s Performance Data\xe2\x80\x9d\n\nWe appreciate the opportunity to comment on the draft summary report. We also\nappreciate the OIG/PwC acknowledgement that SSA has developed a number of useful\nperformance measures in the spirit of the Government Performance and Results Act\n(GPRA) and has discussed them in proper detail in the FY 2000 Performance Plan.\n\nFurther, we appreciate the report\xe2\x80\x99s stated intention to provide SSA with suggestions\nwhich may assist us in preparing for the final phases of GPRA. However, we believe\nthe report should more clearly state throughout that current GPRA requirements were\nnot in effect during FY 1998, the year for which the data were examined, and that it\nwould therefore be inappropriate to extrapolate the findings to SSA\xe2\x80\x99s implementation of\nGPRA for FY 1999 or FY 2000.\n\nThe GPRA statute requires that certain elements be included in annual performance\nplans and that other elements be included in annual performance reports. GPRA\nfurther requires that agencies prepare annual performance plans that set out specific\nperformance goals for FYs beginning with 1999. It also requires that agencies report\nannually on performance compared to goals, with the first report due in March 2000, to\ncover FY 1999. As mentioned above, the requirements of GPRA, including a\ndescription of the means employed to verify and validate the measured values used to\nreport on program performance, were not in effect for FY 1998. SSA\xe2\x80\x99s efforts in this\narea were preliminary, and have significantly evolved with our FY 1999 and FY 2000\nGPRA documents.\n\nFor FY 1998, and as we were moving toward preparation of our first GPRA Strategic\nPlan and our Annual Performance Plan for FY 1999, SSA published a Business Plan.\nWe stated in our Business Plan that for FY 1998 we were including performance\n\n\n\n                                          C-1\n\x0cmeasures for which we had measurement systems in place and current performance\ninformation. We also included related output measures for several priority workloads.\n\nAlthough not a GPRA requirement, we also elected to report in our FY 1998\nAccountability Report on those FY 1998 goals which we decided to include in our FY\n1999 Annual Performance Plan. We did not however, meet all the requirements for an\nAnnual Performance Report in that document nor was it our intention to do so. We are\nconcerned that implicit in many of the report\xe2\x80\x99s recommendations is the erroneous\nconclusion that SSA should have complied, in 1998, with statutory requirements that\nwere not yet in effect. We believe that all GPRA requirements are met, as required by\nstatute, by our recently released FY 1999 GPRA Performance Report.\n\nFinally, as you know, 30 of the 40 recommendations contained in the subject audit\nreport are either exactly duplicative or very nearly duplicative of recommendations\ncontained in past financial statement audit reports. Since we are already taking\ncorrective actions for those that we accepted as valid, we will not be addressing the\nduplicate recommendations in this response. We will, of course, continue our efforts to\nimplement corrective actions, as appropriate, and to provide status reports until\ncompleted.\n\nAs you indicate, SSA is positioned to be a leading performance based budgeting\norganization and to meet the future requirements of GPRA. The Office of Management\nand Budget has designated SSA as a pilot project for performance budgeting. The\ncontinuing disability reviews program is the specific activity covered by this designation\nand the time period covered will be FY 2001. We anticipate that our participation will\nenrich the learning from the government-wide pilot with regard to the feasibility and\nimpacts of performance based budgeting.\n\nAttached are specific comments to the draft report. Staff questions may be referred to\nOdessa J. Woods on extension 50378.\n\n\n\nImprovement Area 1--SSA lacks sufficient performance measure process\ndocumentation and did not retain documents to support the FY 1998 amount.\n\nRecommendation 1\n\n1.     We recommend that SSA place ownership for the performance measure process\nand reporting within an organizational unit. Data ownership would still remain with the\nuser organizations. However, an organizational unit should be accountable for the\noverall performance measure processes and results. Their charter should include the\nfollowing responsibilities:\n\n\n\n\n                                           C-2\n\x0c\xe2\x80\xa2   Identify and document the processes surrounding the generation and accumulation\n    of performance measure values. This would establish a clear method for verifying\n    and validating the performance measures.\n\n\xe2\x80\xa2   Establish policies and procedures surrounding the retention of performance measure\n    documentation. The documentation retained should allow for the timely verification\n    of the performance measure values, and should be maintained for at least one year.\n\n\xe2\x80\xa2   As new systems are developed, evaluate their potential impact on the accumulation\n    of performance measure data. Systems with potential impact should be designed to\n    include the means of producing a verifiable audit trail to validate the performance\n    measure results as they are defined in the Accountability Report.\n\nResponse to Recommendation 1\n\nWe agree in concept with this recommendation. SSA\xe2\x80\x99s Office of Strategic Management\n(OSM) is responsible for coordinating the Agency\xe2\x80\x99s GPRA activities. In addition, we will\ncontinue to work to improve the development and retention of the kind of documentation\nneeded for external audits of our performance measures.\n\n\nImprovement Area 2--SSA has a number of data integrity deficiencies.\n\nRecommendations 2-10\n\nResponse to Recommendations 2 - 10\n\nThese recommendations are either a direct reprint of the recommendations contained in\nPricewaterhouseCoopers\' (PwC) FY 1998 Management Letter, Part 2 or a reiteration\ncontaining only minor editorial changes.\n\nRecommendation 7\n\n\xe2\x80\xa2   SSA should develop policies and procedures for the resolution of unmatched items\n    in DACUS and establish a work group with primary responsibility for resolution. One\n    of the duties of this group should be to analyze patterns in exceptions and facilitate\n    the implementation of changes to the automated matching algorithm to make it more\n    effective\n\nResponse to Recommendation 7\n\nWe agree that a workgroup should be established to determine DACUS exception\npatterns and make recommendations on changes in matching routines, as appropriate.\nThe workgroup will be led by the Office of Systems Requirements with involvement from\nothers impacted components. We have already determined that gender should be\ndeleted as a matching item and plan to implement this change before the Year 2000\n\n\n                                           C-3\n\x0cmoratorium. DACUS Release 5 will be the vehicle for implementing changes\nrecommended by the workgroup.\n\nRecommendation 8\n\n\xe2\x80\xa2   SSA should implement: 1) initiatives to reduce the amount of time required by\n    outside sources for submitting death notifications, such as the electronic death\n    certificate project currently being tested; and, 2) a method to prevent the submission\n    or receipt of duplicate information, whether submitted from the same or different\n    sources (DACUS, NUMIDENT, MBR, SSR)\n\nResponse to Recommendation 8\n\nWe partially agree with this recommendation. We agree with the first bulleted item. We\nhave provided for Systems support for an Electronic Death Certificate process in the\nappropriate 5-Year plans.\n\nWe request the auditors reconsider its recommendation contained in the second\nbulleted item. The recommendation to prevent receipt/issuance of duplicate death data\nconcerning the same individual from multiple sources is technically impossible. To\nprevent reporting duplication, it would require that all agencies have direct, interactive\naccess to the SSA databases, which is not advisable. Even that would not prevent\nindividual sources such as family members and funeral directors also from reporting on\nsomeone previously reported by an agency. (There is no way to \xe2\x80\x9creceive\xe2\x80\x9d only certain\nrecords on a given file.)\n\nSSA only pays State Bureaus of Vital Statistics for death data and then only if it is the\nfirst report of death. In future DACUS analysis efforts, we will examine the MI for State\ndata to ensure that it is properly identifying only those records for which payment is due.\n\nRecommendation 9\n\n\xe2\x80\xa2   With the completion of the Year 2000 project in FY 2000, SSA should begin\n    implementation of DACUS Release 2 (a high priority of SSA\xe2\x80\x99s five-year IRM plan), to\n    provide functionality to automatically delete NUMIDENT death postings when a\n    person is \xe2\x80\x9cresurrected\xe2\x80\x9d on the MBR and SSR (NUMIDENT, MBR, SSR)\n\nResponse to Recommendation 9\n\nWe agree. We expect to complete Year 2000 DACUS activities in early 1999. We will\nthen develop the schedule for DACUS Release 2 and include the dates in the 3/99\nupdate of the Enumeration/Client 5-Year plan.\n\nWe also would like to clarify item C as the Findings section is inaccurate. Date of death\nprocessing was not a part of Release 2 of ICDB in 8/97 for title II or XVI. However, we\ndid do a special clean-up of MBR and SSR death data to the Numident in 1998. This is\n\n\n                                           C-4\n\x0cwhat accounts for the vast drop in discrepant cases. The remaining cases failed the\nautomated matching routines, generally because of significant differences in names.\nManual investigation would have to be undertaken to determine if the individuals are\nindeed the same person. We also note that SSA policy requires investigation of date\ndiscrepancies only when they would be significant to a finding of overpayment; i.e.,\nwhen a person has already been terminated for another reason such as disability\ncessation, a later death date would have no impact.\n\nRecommendation 10\n\n\xe2\x80\xa2   SSA should firm up plans to implement the ICDB R2 functionality for the SSI system\n    (SSR) to provide updated (substantiated) date of birth information to the NUMIDENT\n    (NUMIDENT, MBR, SSR)\n\nResponse to Recommendation 10\n\nWe request the auditors reconsider its recommendation as it is inaccurate. Date of birth\nprocessing was included in ICDB Release 2 in 8/97 for both Title II and XVI initial claims\ncases; there is no outstanding need to develop this capability for SSI cases. What does\nremain is the clean-up of the pre-existing data as described in III. 6. General above.\nThat \xe2\x80\x9cmass saturation\xe2\x80\x9d was NOT done in 6/98 as stated by PwC. What was executed in\n1998 was the clean-up of existing dates of death.\n\n\nImprovement Area 3--SSA\'s system environment has security deficiencies.\n\nRecommendations 12-22\n\nResponse to Recommendations 12-22\n\nThese recommendations are direct reprints of findings and recommendations contained\nin PwC\xe2\x80\x99s FY 1999 report on management\'s assertion about the effectiveness of internal\ncontrol.\n\nRecommendation 12\n\nAs previously reported in the FY 1999 Accountability Report, we recommend that SSA\naccelerate and build on its progress to enhance information protection by further\nstrengthening its entity-wide security as it relates to implementation of physical and\ntechnical computer security mechanisms and controls throughout the organization. In\ngeneral, we recommend that SSA:\n\n\xe2\x80\xa2   Reevaluate its overall organization-wide security architecture;\n\n\n\n\n                                           C-5\n\x0cResponse to Recommendation 12\n\nSSA agrees with this recommendation and is initiating a full reassessment of its\norganization-wide security architecture to ensure that vulnerabilities, especially those\nintroduced by new technology, are being addressed. This strategic reassessment will\nallow SSA to identify any additional initiatives needed to upgrade its programs.\nEnhancements to the existing architecture resulting from this activity will be\nimplemented and communicated to all SSA components.\n\nRecommendation 13\n\n\xe2\x80\xa2   Reassess the security roles and responsibilities throughout the organization\xe2\x80\x99s central\n    and regional office components;\n\nResponse to Recommendation 13\n\nSSA agrees with this recommendation and is currently reassessing security roles and\nresponsibilities. Recently, SSA elevated the organizational structure of the entity for\ninformation systems security within the Office of Finance, Assessment and\nManagement. Also, within the Office of Operations, a higher level security oversight\ngroup was formed and there was a reassessment of regional security officer roles to\nemphasize the increased importance of their roles.\n\nRecommendation 14\n\n\xe2\x80\xa2   Assure that the appropriate level of trained resources are in place to develop,\n    implement and monitor the SSA security program;\n\nResponse to Recommendation 14\n\nSSA agrees with this recommendation and has enhanced security training by directing\nadditional funds toward new security training courses for both Headquarters and\nregional security staffs. In addition, the Office of Systems is taking steps to improve its\nsecurity program by obtaining additional expertise via contractor services.\n\nThe additional training and the organizational refocusing discussed above will ensure\nthe appropriate level of trained resources are in place to develop, implement and\nmonitor the SSA security program.\n\nRecommendation 15\n\n\xe2\x80\xa2   Enhance and institutionalize an entity-wide security program that facilitates\n    strengthening of LAN and distributed systems\xe2\x80\x99 security;\n\n\n\n\n                                            C-6\n\x0cResponse to Recommendation 15\n\nSSA agrees with the recommendation and has been working diligently on improvements\nin this area. SSA will continue to enhance and institutionalize the entity-wide security\nprogram through a series of enhancements to the mainframe, LAN and distributive\nsystems. The enhancements will include: improved monitoring of access controls,\nparticularly in field activities; full implementation of the Enterprise Security Interface;\nadministrative monitoring and penetration testing.\n\nRecommendation 16\n\n\xe2\x80\xa2   Review and certify system access for all users;\n\nResponse to Recommendation 16\n\nSSA agrees with this recommendation and continues to make progress in this area.\nThe Office of Systems continues to work aggressively to adjust access rights under its\nStandardized System Profile Project.\n\nRecommendation 17\n\n\xe2\x80\xa2   Enhance procedures for removing system access when employees are transferred\n    or leave the agency;\n\nResponse to Recommendation 17\n\nSSA agrees with this recommendation and will continue to improve our procedures and\nthe comprehensive processes already in place for removing system access when\nemployees are transferred or leave the Agency.\n\nRecommendation 18\n\n\xe2\x80\xa2   Decrease vulnerabilities in the mainframe operating system configuration;\n\nResponse to Recommendation 18\n\nSSA agrees with this recommendation and will continue to evaluate our mainframe\noperating system configuration and initiate changes to protect against threats, both\ndeliberate and nonintentional.\n\nRecommendation 19\n\n\xe2\x80\xa2   Implement the mainframe monitoring process;\n\n\n\n\n                                           C-7\n\x0cResponse to Recommendation 19\n\nSSA agrees with this recommendation. As acknowledged earlier in the report, SSA has\nestablished the SMART Report, which is distributed to the security officers responsible\nfor the groups using the systems. While most users are in non-Headquarters offices, all\nusers, including those in central office, are tracked and monitored. Procedures have\nbeen distributed which focus the reviews on specific types of transaction scenarios,\nthereby making the SMART system a more useful security management and\nenforcement tool. We agree that additional enhancements for increased use of the\nreport can be made both in the field and in central office. We will continue to improve\nthe use of the report to monitor inappropriate access to SSA\'s systems.\n\nRecommendation 20\n\n\xe2\x80\xa2   Finalize accreditation and certification of systems;\n\nResponse to Recommendation 20\n\nSSA agrees with this recommendation and either certified or recertified all of SSA\'s\nsensitive systems in July 1999.\n\nRecommendation 21\n\n\xe2\x80\xa2   Develop and implement an ongoing entity-wide information security compliance\n    program; and\n\nResponse to Recommendation 21\n\nSSA agrees with this recommendation and has a number of existing and planned\nprograms to monitor compliance with security policies and procedures. In addition to\nautomated controls, SSA also monitors compliance through programmatic and systems\naudits, financial systems reviews, and other internal studies and reviews.\n\nSSA has make progress in developing the Comprehensive Integrity Review Process\n(CIRP) system that will consolidate integrity review functions into a single automated\nfacility where transactions will be screened against specific criteria. The criteria include\ncross-application criteria and can be changed to concentrate on emerging trends. SSA\nremains committed to ongoing enhancement and implementation of the CIRP system.\n\nRecommendation 22\n\n\xe2\x80\xa2     Strengthen physical access controls at non-headquarters sites.\n\nResponse to Recommendation 22\n\n\n\n\n                                            C-8\n\x0cSSA agrees with this recommendation and is committed to strengthening security at\nnon-Headquarters sties. We are in the process of enhancing the badging procedures\nand policy enforcement in the regions and other major non-Headquarters facilities. In\naddition, the Agency, through its security tactical plan, has been working to increase\nphysical security at the National Computer Center (NCC) and SSA facilities around the\ncountry.\n\n\nImprovement Area 4--Three of SSA\'s performance measures could better reflect\nagency performance.\n\nPerformance Measure #5\xe2\x80\x94Representative Payee Actions\n\nRecommendation 23\n\nWe recommend that SSA divide this performance measure into two separate metrics:\n(1) Representative Payee Changes, and (2) Representative Payee Accounting. This\nwould result in two groupings of activities that would be more homogenous with respect\nto cost and/or resource requirements. It would also be straightforward to implement\nsince the required data is already obtained and stored in the CAS system.\n\nResponse to Recommendation 23\n\nWe disagree. \xe2\x80\x9cRep payee actions\xe2\x80\x9d is, as stated, a major budgeted workload, not an\nindividual workload. Many budgeted workloads consist of more than one type of action\nwith separate process counts. We do not believe that subdividing the output measure\nof this budgeted workload would be useful or consistent with the intent of this section of\nthe Annual Performance Plan.\n\n\nImprovement Area 5--GPRA documents prepared for external evaluation of SSA\nperformance do not clearly indicate the sources of the performance measures.\n\nRecommendation 26\n\nWe recommend that SSA develop clear and concise descriptions of each performance\nmeasure\'s source.\n\nResponse to Recommendation 26\n\nWe agree that reporting documents prepared for public consumption should contain, in\nlay terms, clear descriptions of the sources of our performance measures. We will\nconsult with your office to determine where you believe this is not the case. In addition,\nwe would note that, our documents comply with the requirements of GPRA with regard\nto appropriate level of documentation of the sources for external audiences. The A-11\nguidance specifically recommends the following information on data sources:\n\n\n\n                                           C-9\n\x0c\xe2\x80\xa2   The current existence of relevant baseline data, including the time-span covered by\n    trend data;\n\xe2\x80\xa2   The expected use of existing agency systems in the collection and reporting of data;\n\xe2\x80\xa2   The source of the measured data;\n\xe2\x80\xa2   Any expected reliance on an external source(s) for data, and identification of the\n    source(s); and\n\xe2\x80\xa2   Any changes or improvements being made to existing data collection and reporting\n    systems or processes to modify, improve, or expand their capability.\n\nSSA\xe2\x80\x99s FY 2000 Annual Performance Plan meets all these requirements.\n\nWhere additional, technical detail describing underlying processes and programmatic\nsystems that produce the reported metrics are needed by OIG and GAO auditors, we\nwill continue to make this detail available.\n\n\nImprovement Area 7--A component was inadvertently omitted when calculating\nthe total of one of the performance measures.\n\nRecommendation 30\n\nWe recommend that SSA develop and implement a review process for the manual\ncalculation of the annual Representative Payee Action total count.\n\nResponse to Recommendation 30\n\nWe agree. The problem identified during the instant OIG review concerning\nInternational Representative Payee Accounting has been corrected. A review process\nhas also been implemented to validate the manual calculation.\n\n\nImprovement Area 8--The Cost Analysis System\'s (CAS) procedural and systems\ndocumentation have not been updated.\n\nRecommendation 31\n\nWe recommend that DCA explore alternatives for acquiring the resources needed to\nupdate the existing CAS procedural and systems documentation, and to obtain\nprocedural documentation for the replacement systems.\n\nResponse to Recommendation 31\n\nThis recommendation was included as a recommendation contained in PwC\xe2\x80\x99s FY 1998\nManagement Letter, Part 2.\n\n\n\n\n                                          C-10\n\x0cWe agree and will pursue alternatives for acquiring the resources needed to update\nCAS procedures, manuals, handbooks and documentation. SSA is also initiating an\neffort to design and implement an agency-wide managerial cost accountability process\nand system which will eventually subsume the functions of the CAS.\n\n\nImprovement Area 9--SSA has systems design and documentation deficiencies.\n\nResponse to Recommendations 32 - 34\n\nThese recommendations are equivalent to recommendations contained in PwC\xe2\x80\x99s\nFY 1998 Management Letter, Part 2.\n\nRecommendation 32\n\nWe recommend the following:\n\n\xe2\x80\xa2   SSA should complete implementation of it\'s Validation Transaction Tracking System\n    (VTTS) and continue with its plan to automate the process for submitting System\n    Release Certification (SRC) forms\n\nResponse to Recommendation 32\n\nWe agree and believe the first portion of this recommendation is complete. Systems\nbegan using VTTS in 1996 for selected validations. In October 1998, its use became\nmandatory for all validations. VTTS has been converted to SQL and is available for all\nsystems. Evaluation will continue to make it more useful and flexible.\n\nTarget dates for automating the SRC forms submission process are now in place.\nPrototype automated change control procedures are currently being tested and\nevaluated which will satisfy the second portion of this recommendation. We expect to\ncomplete evaluation of the prototype design by Spring 1999. (The prototype evaluation\nwas staged to include various life cycle development projects, e.g., new software\ndevelopment (online and batch), maintenance, cyclical projects.) We are currently\nsetting up the evaluation of a maintenance type project.\nUpon completion of the prototype evaluation, design changes resulting from the\nevaluation will be incorporated into the automated procedures, software changes to this\nprocess will be made, and we will then roll out the process on a project by project basis.\nWe expect to begin roll out by late Summer 1999.\n\nRecommendation 33\n\n\xe2\x80\xa2   SSA should complete implementation of Platinum\'s Process Engineering Tool (PET)\n    and institutionalize Carnegie Mellon\'s Software Engineering Institute\'s Capability\n    Maturity Model (CMM) methodology\n\n\n\n\n                                           C-11\n\x0cResponse to Recommendation 33\n\nWe agree but believe it is too early in the implementation process to provide a date for\ncomplete implementation.\n\nPresently, SET standards require documenting software changes. Nevertheless, we\nare developing a more robust mechanism to support SSA\xe2\x80\x99s Information Technology (IT)\ninfrastructure.\n\nWe are committed to software process improvement using Carnegie Mellon\xe2\x80\x99s Capability\nMaturity Model (CMM). We have also procured the PLATINUM Technology, Inc.\xe2\x80\x99s\nProcess Engineering Tool (PET). When fully implemented, PET will replace and expand\nupon the foundation built by SET.\n\nWith PET integrated within our CMM approach, SSA is building the foundation for a\ncomprehensive software process improvement infrastructure that goes well beyond the\nobjectives of SET. This infrastructure will create an environment that encourages,\nsupports and provides assurance that we are continuously making improvements in the\nquality of software, productivity of the software development staff, and timeliness of\nsoftware delivery. This will be done by improving project management skills and\napproaches; defining IT Processes based on SSA and industry best practices;\nsupporting the use of metrics; and continuously improving IT processes.\n\nThree CMM pilot projects are well underway and using SSA developed documented\nprocedures required for compliance with CMM Level 2 Key Process Areas (KPAs).\nKPAs indicate where an organization should focus to improve its software process and\nidentify the issues that must be addressed to achieve the next maturity level. The KPAs\nat Level 2 focus on the software project\xe2\x80\x99s concerns related to establishing basic project\nmanagement controls. These KPAs are:\n\n\xe2\x80\xa2   Requirements management\n\xe2\x80\xa2   Software project planning\n\xe2\x80\xa2   Software project tracking and oversight\n\xe2\x80\xa2   Software subcontract management\n\xe2\x80\xa2   Software quality assurance\n\xe2\x80\xa2   Software configuration management\n\nProcesses for all of these KPAs have been developed for iterative lifecycle projects and\nare available to the pilot project teams over the Web and in the PET tool. DCS is in the\nprocess of identifying additional similar \xe2\x80\x9crollout\xe2\x80\x9d projects to begin in 1999, which will use\nthese processes to achieve CMM Level 2 compliance. In addition, processes will be\ndeveloped and pilots initiated in 1999 for the following types of project:\n\n\xe2\x80\xa2   Programmatic CICS and Batch\n\xe2\x80\xa2   Administrative Development\n\xe2\x80\xa2   Maintenance without established baselines\n\n\n                                            C-12\n\x0c\xe2\x80\xa2   Legislative and Notices\n\nThese processes will be developed using the PET tool and its rich repository of best\npractices and process techniques as the delivery mechanism for CMM. It will be\navailable to the projects over the WEB.\n\nRecommendation 34\n\n\xe2\x80\xa2   SSA should update its System Security Handbook (Chapter 10 on Systems Access\n    Security) to address all of the acceptable forms for granting access to SSA\xe2\x80\x99s\n    computer systems and data\n\nResponse to Recommendation 34\n\nWe agree. Chapter 10 of the its System Security Handbook lists the SSA-120 as the\nonly security form acceptable. There may be other non-security forms being used for\nnon-security purposes, but they are not appropriately included in the SSH.\n\n\nImprovement Area 10--SSA has a number of deficiencies in their systems\ncontingency plan.\n\nResponse to Recommendations 35 \xe2\x80\x93 40\n\nThese recommendations are direct reprints of recommendations contained in PwC\xe2\x80\x99s\nFY 1999 report on management\'s assertion about the effectiveness of internal control.\n\nRecommendation 35\n\nAs previously stated in the FY 1999 Accountability Report, we recommend that SSA:\n\n\xe2\x80\xa2   Finalize the list of critical SSA workloads and fully test the plans for recovering each\n    workload;\n\nResponse to Recommendation 35\n\nSSA agrees with this recommendation. SSA recently reevaluated and confirmed its\ncritical workloads. Testing that will determine recoverability of all identified critical\nworkloads is scheduled for July 2000.\n\nRecommendation 36\n\n\xe2\x80\xa2   Establish RTOs for each critical workload;\n\nResponse to Recommendation 36\n\n\n\n                                            C-13\n\x0cSSA agrees with this recommendation. It is SSA\'s goal to provide users with a fully\nintegrated set of software to process each critical workload as rapidly as possible. As\npart of our July 2000 test, we plan to assess and determine realistic timeframes and\nsequences for restoring critical workloads. These objectives will be incorporated into\nthe next iteration of the Disaster Recovery Plan (DRP). Subsequent DRP iterations will\ninclude timeframes and other supporting information.\n\nRecommendation 37\n\n\xe2\x80\xa2   Establish recovery priorities for all systems and applications (mainframe and\n    distributed);\n\nResponse to Recommendation 37\n\nSSA agrees with this recommendation and continues to work to establish recovery\npriorities for all mainframe and distributed systems and applications. DRP identifies the\nrecovery sequence of all mainframe workloads. We plan to determine realistic\ntimeframes for reestablishing access to these workloads. In addition, SSA will work to\nfurther define the recovery of the distributed workloads.\n\nRecommendation 38\n\n\xe2\x80\xa2   Update contingency plans for headquarters;\n\nResponse to Recommendation 38\n\nSSA agrees with this recommendation. In compliance with Presidential Decision\nDirective Number 67, Enduring Constitutional Government and Continuity of Operations\nPlan, SSA has convened an agencywide workgroup to develop an infrastructure for\ncontingency planning. This includes defining organizational roles and responsibilities,\nessential operations and staffing, training, maintenance, etc. The actions\nrecommended by the workgroup and approved by SSA management will be\nincorporated in to the Agency Contingency plan.\n\nRecommendation 39\n\n\xe2\x80\xa2   Finalize and test SSA\xe2\x80\x99s ultimate strategy for implementing and maintaining alternate\n    processing facilities; and\n\nResponse to Recommendation 39\n\nSSA agrees with this recommendation. Our current IAA with GSA provides SSA with a\nlong-term, alternate facility supplied through a GSA contract. These provisions will be\nimplemented and provide SSA access to the site for 1 year should a catastrophic event\nleave the NCC uninhabitable for longer than 6 weeks. SSA annually tests the use of\nalternate facilities when conducting its disaster recovery test of NCC operations. The\n\n\n                                           C-14\n\x0cextent of these tests is limited by test time constraints, the smaller configuration used for\ntesting, availability of personnel and other such factors.\n\nOver the years, SSA has gained significant experience in installing and running its\nsystems on a wide variety of hardware during disaster recovery tests and benchmarking\nnew computing platforms. We believe this experience has resulted in the development\nof reliable procedures that allow SSA to bring up its systems at any site. This, of\ncourse, does not remove SSA\'s burden of verifying that secondary sites are stocked, as\nindicated, by the vendor. We will evaluate the benefits of establishing orientation visits\nat the secondary sites.\n\nRecommendation 40\n\n   \xe2\x80\xa2   Finalize and test contingency plans for non-headquarters sites.\n\nResponse to Recommendation 40\n\nSSA agrees with this recommendation and is in the process of reviewing and updating\nall of the Security Action Plans (SAP) that are in place in its non-Headquarters facilities.\nThe Area Directors will review and test the SAPs as they visit each site during the\ncourse of the year. The Agency also conducts field site visits to assess the security that\nis in place in our offices. In the course of these visits, staff will analyze the plans for\neffectiveness and verity that employees are familiar with their content and application.\n\n\nWe also offer the following comments:\n\nImprovement Area 2\n\nBullet 7, \xe2\x80\x9cSSA current practice of obtaining death data does not ensure that this data is\nentered into DACUS accurately, timely and only once (affects the NUMIDENT, MBR,\nand SSR). While this data may not have a direct effect on the performance measures\n(#1, #2, #3, #4, #5, and #9) a noted lack of data verification in these databases\nindicates the possibility that other data lacks integrity.\xe2\x80\x9d\n\nAgency Comment\n\nThis item requires clarification. The report is unclear as to whether the development of\nthe third party reports or the input of SSA-721\xe2\x80\x99s are factors in the reasons for the OIG\nconclusion.\n\nBullet 8, \xe2\x80\x9cA comparison of the MBR, SSR and NUMIDENT identified a large number of\ncases where either the individual was alive and in current pay status on the MBR/SSR\nbut listed as dead on the NUMIDENT, or corresponding records of a given individual\nhad significant differences in dates of death. While this data may not have a direct\n\n\n\n\n                                            C-15\n\x0ceffect on the performance measures (#1, #2, #3, #4, #5, and #9), a noted lack of data\nverification in these databases indicate the possibility that other data lacks integrity.\xe2\x80\x9d\n\nAgency Comment\n\nWe are aware of the problem when the person is listed as deceased on the payment\nrecords but alive on the NUMIDENT. These are usually reinstatement cases. Currently\nreinstatements require two separate actions and in many cases the payment record is\ncorrected and the NUMIDENT remains uncorrected. Release 2 of DACUS, scheduled\nfor implementation in August 2000, will enable the reinstatement to communicate with\nthe DACUS system. This will result in a corrected NUMIDENT.\n\nOther Matters\n\n1. Documents prepared for external evaluation of SSA performance could be improved\nto clearly explain the intended uses of the performance measures to comply with future\nGPRA requirements.\n\nAgency Comment\n\nIn response to the cited General Accounting Office recommendations, SSA is\nexpanding the explanation of the goals and measures and how they contribute to\nevaluating overall SSA performance in the FY 2001 Performance Plan due to Congress\nin February 2000.\n\n2. The nine performance measures are not explicit performance budgeting metrics, but\nare nonetheless appropriate internal performance indicators and are useful to the SSA-\nwide strategic planning process.\n\nAgency Comment\n\nThe statements in this section should be modified to recognize that stakeholders not\nonly include Congressional appropriators, but also customers, policy makers and the\ngeneral public who are looking at the overall effectiveness of the Agency in fulfilling its\nmission. GPRA prescribes that outcome measures will be used for this purpose.\n\n3. SSA is positioned to be a leading performance-based budgeting organization and to\nmeet the future requirements of GPRA.\n\nAgency Comment\n\nWe appreciate the confidence expressed by the OIG in SSA readiness for performance\nbudgeting. The Office of Management and Budget (OMB) has designated SSA as one\nof the government-wide performance budgeting pilot projects provided for in GPRA.\nWithin SSA, the Continuing Disability Reviews program is the specific activity covered\nby this designation. OMB considers the performance budgeting pilot projects to be an\n\n\n\n                                            C-16\n\x0copportunity to examine the feasibility and potential application of several approaches to\nperformance budgeting. In this context, OMB intends to use performance and resource\ndata provided by the pilots during development of the FY 2001 budget and to report to\nCongress on the results of the pilots no later than March 31, 2001, as required by\nGPRA.\n\nAppendix A, Background, GPRA\n\nThis section should state clearly that the requirements of GPRA for Agency\nperformance plans and Agency performance reports were not in effect until FY 1999. It\nshould also acknowledge that although the report covers FY 1998 performance\nmeasures, the GPRA requirements, including descriptions of the means employed to\nverify and validate the measured values used to report on program performance, were\nnot in effect at that time.\n\nAppendix A, SSA\xe2\x80\x99s Performance Measures\n\nThe last paragraph should read \xe2\x80\x9cFY 1997-2002 strategic plan, \xe2\x80\x9cKeeping the Promise.\xe2\x80\x9d\n\n\n\n\n                                          C-17\n\x0c                                                                                                                    Appendix D\n\n                        Performance Measure Summary Sheets\n\n\nName of Measure                                     Measure Type            Strategic Goal/Objective\n5) Representative Payee Actions                     Workload                Goal: To make SSA program management the best\n                                                                            in business, with zero balance for fraud and abuse\n                                                                            Objectives: To positioning the Agency\'s resources and\n                                                                            processes to meet emerging workloads, and to\n                                                                            aggressively deter, identify, and resolve fraud.\n\nDefinition                                                                                        Purpose\nRepresentative Payee Actions includes selection of a representative payee (nonselects are also    To combat fraudulent actions\nincluded in the count), change of payee, representative payee accountings, investigations of      on the part of representative\nRepresentative Payee, suspension of representative payees and change of information for           payees. This measure looks\nrepresentative payee. The representative payee accounting process includes accounting for Title   at the total number of\nII, Title XVI as well as accounting for representative payees who live abroad.                    representative payee actions\n                                                                                                  that occur within a year to\n                                                                                                  determine whether SSA is\n                                                                                                  monitoring the actions\n                                                                                                  associated with representative\n                                                                                                  payees appropriately.\n\nHow Computed                                        Data Source              Data Availability    Data Quality\nTotal number of representative payee actions as     RPS                      Some FY 1998         Acceptable\ndefined in definition above for Fiscal Year 1998.   WMS                      Available, FY 1999\n                                                    PEMI                     Available\n                                                    CSRETAP\n                                                    FALCON\n                                                    PCACS\n                                                    COS\n\n\n                                                               D-1\n\x0cExplanatory Information                                                                            Report Frequency\nThe measure looks at representative payee changes and accountings for both the US and foreign       Monthly\ncountries. An action for representative payee changes within the US is initiated with any of the\nfollowing occurrences \xe2\x80\x931) SSA decides to investigate a Representative payee 2) a representative\npayee account requires a change of information or 3) an SSA beneficiary, or representative payee\nidentifies the need to change or add a representative payee. International Representative payee\nchanges occur when an applicant fills out an application at an embassy, consulate or military JAG\noffice or mails in an application to any of the aforementioned locations or to PC8. International\nRepresentative payee Accountings and domestic Representative payee Accountings are handled in\na similar manner. Representative payee Accounting forms mailed in by representative payees are\nboth received at the Wilkes-Barre Document Operation Center (WBDOC) and they are both\nscanned at Wilkes-Barre. The International Representative payee Accounting forms with exceptions\nare sent to PC8. The implementation of Title II Redesign should aid in the tracking of numbers from\nthe various sources and systems to the final number that is reported in the Accountability Report.\n\nTarget Goal                                        Division                  Designated Staff Members\n6,983,800                                          OFAM, OFPO                Shirley Hodges\n\n\n\n\n                                                               D-2\n\x0cEDP AUDITOR Testing and Results\nEDP Auditor testing was performed to ensure controls were in existence and operating effectively within the following processes:\n\xe2\x80\xa2 Representative Payee Accounting forms received at WBDOC and processed via CICS are removed from ROBOT file\n\xe2\x80\xa2 Representative Payee Accounting forms received at WBDOC and processed via the scanner are removed from ROBOT file\n\xe2\x80\xa2 Title II Representative Payee Accounting actions processed via a Field Office are transferred to the PEMI application and\n   ultimately into IWMS\n\xe2\x80\xa2 Title XVI Representative Payee accounting actions processed via a Field Office are transferred to the PEMI application and\n   ultimately into IWMS\n\xe2\x80\xa2 Title II and Title XVI Representative Payee Changes processed via a Field Office are transferred to the PEMI application and\n   ultimately into IWMS\n\xe2\x80\xa2 Title II and Title XVI Representative Payee Accounting transmission of WB MI Report from WBDOC to OIM\n\xe2\x80\xa2 Representative Payee International Accounting actions transfer into CAS\n\xe2\x80\xa2 Representative Payee International Changes actions transfer into CAS\n\xe2\x80\xa2 Applicable application controls\n\xe2\x80\xa2 Applicable general computer controls\n \xe2\x80\xa2 Current procedural and systems documentation for CAS\n\xe2\x80\xa2 Formation of specific systems requirements for different major development projects, routine maintenance, and cyclical changes\n\xe2\x80\xa2 Information protection control structure (system security)\n\xe2\x80\xa2 SSA\'s systemic contingency plan\n\xe2\x80\xa2 Full documentation of program changes evidencing user approval and testing\n \xe2\x80\xa2 SSA\'s System Security Handbook\n\nSee results of engagement entitled "SSA has a number of data integrity deficiencies", " SSA\'s system environment has security\ndeficiencies," "CAS systems and procedural documentation have not been updated," "SSA has systems design and documentation\ndeficiencies," "SSA has a number of deficiencies in their systems contingency plan."\n\n\n\n\n                                                               D-3\n\x0cCAATs Testing and Results\n\xe2\x80\xa2   Compared the before and after ROBOT file to ensure file was updated;\n\xe2\x80\xa2   Compared CSREPRET.R0909 file to ROBOT.G1574 file to ensure ROBOT file was updated;\n\xe2\x80\xa2   TITLE II REPRESENTATIVE PAYEE ACCOUNTING - Compared the PEMI file with the IWMS file to ensure the two record\n    counts were equal;\n\xe2\x80\xa2   TITLE XVI REPRESENTATIVE PAYEE ACCOUNTING - Compared the PEMI file with the IWMS file to ensure the two record\n    counts were equal; and\n\xe2\x80\xa2   TITLE II & XVI REPRESENTATIVE PAYEE CHANGES - Compared the PEMI file with the IWMS file to ensure the two record\n    counts were equal.\n\nSee results of engagement entitled "SSA has a number of data integrity deficiencies."\n\nProcess Improvement Testing and Results\n\xe2\x80\xa2   Traced the performance measure value per the FY 1998 CAS Report to the number reported in the FY 1998 Accountability\n    Report; and\n\xe2\x80\xa2   Traced the performance measure IWMS value to the values in the FY 1998 CAS Report.\n\nSee results of testing entitled "SSA lacks sufficient performance measure process documentation, and does not retain documents to\nsupport the FY 1998 amounts," "Three of SSA\'s performance measures do not reflect a clear measure of performance," "GPRA\ndocuments prepared for external evaluation of SSA performance do not clearly indicate the sources of the performance measures,"\nand "A component was inadvertently omitted when calculating the total of one of the performance measures."\n\n\n\n\n                                                                D-4\n\x0c                                               Appendix E\n\nPerformance Measure Process Maps\n\n\n         This page intentionally left blank.\n\x0c                                                            Representative-Payee Process\n                                                  PM #5: Number of Rep-Payee Actions Processed\n                                                                                                                                              Rep-Payee lives in USA\n                                                                                  Domestic Title II              2A                      Rep-Payee Accounting is initiated           2A\n                                                                                                                                        with domestic Rep-Payee Acctg Sys\n\n\n      Begin                   Rep-Payee Accounting                               Domestic Title XVI              4A\n\n                                                                                                                                     Rep-Payee lives abroad\n                                                                                                                                    Rep-Payee is audited via\n                                                                                    International (OIO) Title II\n                                                                                                                                  Foreign Enforcement process                 Stop\nRep-Payee Changes                                                             (Beneficiary or Rep-Payee live abroad)\n                                                                                                                                    (SSA-7161), which is not\n                                                                                                                                    included in subject count\n\n\n                                                                                        FO updates RPS                                                        At this point in time, OIM has\n                                   SSA decides to                                                                                                             not been given clearance to\n                                                               FO conducts             with relevant details\n                                   investigate Rep-                                                                          Title XVI                        obtain Title XVI summary\n                                                               investigation             of investigation\n                                        Payee                                                                                                                 information via RPS. They\n                                                                                       using RSEL screen         Title II\n                                                                                                                                                              have developed a process to\n                                                                                                                                                              utilize Title XVI data from\n                                                                                                                   1A                                         RPS and project a\n                                                                                                                                                              switchover in the near future.\n\n                                                                                           FO Claims             Title II                    RPS CICS (RSEL)\n                                Rep-Payee Account             Rep-Payee\n              Beneficiary/                                                               Representative                                       Screen creates           PEMI reads traffic\n                                requires a change of       provides FO CR\n              Rep-Payee                                                               changes Rep-Payee                     Title XVI        record in centrally        file to increment\n                                  information (e.g.,       with new account\n               Live in US                                                              information in RPS                                    located traffic file       summary count\n                                address, phone, etc)          information\n                                                                                      using RSEL screen                                         (CT record)\n\n                                   All Rep-Payee applicants are included in the final count,\n                                                                                                                                                  Title XVI\n                                 even if they are not selected by SSA to be the Rep-Payee\n                                                                                                                                                                         PEMI transfers\n                                                                                            Claims                                                                      summary counts\n                                SSA, Beneficiary, or          Rep-Payee                                                                      SSA denotes Rep-\n                                                                                        Representative          SSA reviews case                                           to IWMS\n                                Rep-Payee identifies       candidate applies                                                                 Payee selection in\n                                                                                       (CR) enters data         and selects Rep-\n                                 need to change (or         at Field Office                                                                  RPS using RSEL\n                                                                                        into RPS using               Payee\n                                  add) Rep-Payee                 (FO)                                                                             screen\n                  1A                                                                     RSEL screen\n\n                                                                                                                                                                               7B\n                                                                                           Title II\n\n\n                                                                                        PEMI reads\n                                                            WMS copies\n                                                                                    transactional data          PEMI transfers\n                                RPS passes data               relevant\n                                                                                     in WMS DB and             summary counts                7A\n                                 on-line to WMS          transactional data\n                                                                                         calculates               to IWMS\n                                                         to WMS Database\n                                                                                     summary counts\n\n\n\n                       Beneficiary or Rep-Payee\n                                                                                             6A\n                             Live Abroad\n\n\n                                                                                D-2\n\x0c                                                Representative-Payee Process (Continued)\n\n       2A                                                                                                                                          Rep-Payee\n                    Title II Accounting                                                                                        Rep-Payee\n                                                                                                                                                 desires help w/\n                                                                                                                            seeks assistance                         2B\n                                                                                                                                                form & takes it to\n                                                                                                                           w/ Accounting Form\n                                                                                                                                                    local FO\n\n\n                          Rep-Payee Accounting                                      Rep-Payee Accounting System\nCSRETAP reads                                           Rep-Payee Accounting                                              SSA sends              Vendor prints &\n                          System reads universe                                    obtains Conserved Fund Amount\n MBR & writes                                            System Eligible Rep-                                            relevant Rep-           distributes Rep-\n                          file & determines which                                    from previous accounting (if\nuniverse of Rep-                                         Payees are written to                                         Payee information        Payee Accounting\n                            Rep-Payees to target                                   available) from Master Conserved\n Payees to file                                              ROBOT file                                                    to vendor                   forms\n                                for accounting                                     Funds File & adds to ROBOT file\n\n\n                                                            No response from Rep-Payee after 4 months\n\n\n\n\n                           Vendor prints &\nSSA sends Rep-                                                                                                         WBDOC estimates\n                           distributes 2nd             Rep-Payee         Rep-Payee fills out    WBDOC receives\nPayee information                                                                                                       number of forms\n                           Notice w/ Rep-           receives & reads     Accounting form &      Rep-Payee form in\nto vendor for 2nd                                                                                                      received based on\n                          Payee Accounting                form           mails it to WBDOC         Mail Room\n     notice                                                                                                                  weight\n                                 form\n                                                                                                                                                  WBDOC Clerk\n       Still no response                                                                                                                            identifies\n       from Rep-Payee                                                                                                                             approvals (no      3A\n   after 4 additional months                                                                                                                      development\n                                                                                 2B                  WBDOC routes                                   needed)\n                                                                                                        forms to\n                                                                                                      examination                                 WBDOC Clerk\n                                                                                                         station                                     identifies\n                              Field Office                                  FO Technician                                                         exceptions that    3B\n WBDOC sends                                                                                                                                     should be handled\n                              attempts to           Rep-Payee visits      helps Rep-Payee\n special alert to                                                                                                                                   by PCs 1-7\n                             contact Rep-             Field Office        fill out Accounting    WBDOC Clerk examines\n  relevant FO\n                                 Payee                                           Form            forms & sorts based on\n                                                                                                  follow-on development                           WBDOC Clerk\n                                                                                                       requirements                                  identifies\n           Rep-Payee not found                                                                                                                    exceptions that\n            or does not respond                                                                                                                  should be handled\n         (Total elapsed time 1 year)                                                                                                               by PC 8 (OIO)\n\n\n                                                       FO Technician clears                                                                       WBDOC Clerk\n                                                                                 CICS Accounting           Nightly batch\nRep-Payee Accounting                                     Rep-Payee from                                                                             identifies\n                                                                                  screen triggers         removes Rep-\n  system clears Rep-                  End               "diary" using CICS                                                       3E              exceptions that     3C\n                                                                                 placement of X in       Payee with Xs\nPayee from ROBOT file                                   ACCT (Rep-Payee                                                                         can be handled by\n                                                                                    ROBOT file          from ROBOT file\n                                                       Accounting) Screen                                                                           WBDOC\n\n\n\n                                                                                 D-3\n\x0c                                                         Representative-Payee Process (Continued)\n\n                    WBDOC                      WBDOC                                                                         Scanner\n                Technician inputs            Technician              Form is sorted by                                 increments WBDOC\n     3A         Conserved Funds                visually              Program Service          Form is scanned           electronic count &                3G\n                 (CF) values via          determines if form           Center (PSC)                                      logs Rep-Payee\n                    FALCON                 can be scanned                                                                   SSN in file\n\n\n                                                                                                                            3D\n\n                                                                     WBDOC Technician            CICS Acctg screen                                                               Rep-Payee SSN\n                                                                     clears Rep-Payee           increments WBDOC                                                   3F          file sent on-line to\n                                               Form can not\n                                                                     from "diary" using           electronic count &        3G                                                         NCC\n                                                be scanned                                                                                           3D\n                                                                      CICS Rep-Payee           triggers placement of\n                                                                     Accounting Screen             X in ROBOT file\n\n\n                     WBDOC                                                    WBDOC Technician            CICS Acctg screen                                                     NCC removes\n                                                                                                                                                       Nightly batch\n                 Technician inputs                                            clears Rep-Payee           increments WBDOC                                                      Rep-Payees from\n                                               WBDOC sorts        PC 7                                                                                removes Rep-\n     3B          Conserved Funds                                              from "diary" using           electronic count &          3G                                      ROBOT file based\n                                                Form by PC       (ODO)                                                                               Payee with Xs\n                  (CF) values via                                              CICS Rep-Payee           triggers placement of                                                   on SSNs from\n                                                                                                                                                    from ROBOT file\n                     FALCON                                                   Accounting Screen             X in ROBOT file                                                        WBDOC\n\n                                                                                                                                       3D\n                                      PC 1-6\n                                                                                                   3F\n                                                                                                                                                               These steps are shown to clarify how\n                      WBDOC                                                Scanner                                                                             the Rep-Payees are cleared from the\n                    Technician                                       increments WBDOC                                                                          ROBOT file, but are not explicitly on\n                      visually             Form is scanned            electronic count &                   3G                                                  the path that the subject data follows\n                 determines if form                                    logs Rep-Payee                                                        3E\n                                                                                                                   The tabulation is\n                  can be scanned                                          SSN in file                              based on WBDOC\n                                                                                                                   electronic counts\n\n                                           WBDOC Technician            CICS Acctg screen            WBDOC tabulates\n                                           clears Rep-Payee            increments WBDOC                 count of                              Rep-Payee Accounting\n                     Form can not\n                                           from "diary" using            electronic count &         Accounting forms                        System writes completed             OSDD sends\n                      be scanned                                                                                                            transaction to RSACCOIM            RSACCOIM file to\n                                            CICS Rep-Payee            triggers placement of         processed in WB\n                                           Accounting Screen              X in ROBOT file               MI Report                              file based on removal            OIM (via LNK)\n                                                                                                                                                   from ROBOT file\n\nWBDOC subsequently resolves issues w/ Rep-\nPayee or sends to PC for further development                                    3D\n                                                                                                    WBDOC provides\n                                                                                                   WB MI Report to SSA           7C\n                WBDOC Technician              CICS Acctg screen                                           OIM                                    PEMI reads\n                clears Rep-Payee              increments WBDOC                                                                              transactional data           PEMI transfers\n     3C         from "diary" using             electronic count &          3G                                                                in RSACCOIM file           summary counts                7D\n                 CICS Rep-Payee            triggers placement of X                                                                              & calculates               to IWMS\n                Accounting Screen                 in ROBOT file                                                                               summary counts\n                                                                          The report includes counts for forms\n                                                                          that are cleared via both scanner and\n                                                                          CICS screen at WBDOC\n\n\n                                                                                               D-4\n\x0c                                           Representative-Payee Process (Continued)\n\n                Title XVI Accounting\n         4A\n                      Between 100,000 to 200,000 are         The date placed in the AR Diary is\n                      selected each month                    the 1st of the following month\n\n  SSI Redetermination                                                             SSI Redetermination                                Vendor prints &\n                            SSI Redetermination     SSI Redetermination                                     SSA OTSO places\n Merge Run (monthly)                                                                Merge Run sorts                                mails "First Request"\n                            Merge Run creates       Merge Run formats                                       print files on tape\nselects "First Request"                                                           "First Request" print                                Rep-Payee\n                            an "AR" diary in the    "First Request" print                                      cartridges &\n  Rep-Payee cases to                                                              records by zip code                               Accounting forms\n                             beneficiary\'s SSR             record                                            sends to vendor\n target for accounting                                                            & writes them to file                              (SSA-623-SM)\n\n\n                                                    No response from Rep-Payee after 90 days\n\n\nSSI Redetermination         SSI Redetermination           SSI Redetermination                                   Vendor prints &\n                                                                                        SSA sends print\nMerge Run (monthly)           Merge Run adds                Merge Run sorts                                     mails "Second          Rep-Payee\n                                                                                       files to vendor on                                                Rep-Payee\n selects "Second          -1 Follow-up code to AR        "Second Request" print                               Request" Rep-Payee       receives &\n                                                                                      tape cartridges via                                             seeks assistance\nRequest" Rep-Payee        diary & formats "Second        records by zip code &                                 Accounting forms        reads form\n                                                                                              OMBP\n      cases                Request" print record           writes them to file                                  (SSA-623-SM)\n\n                                                                                                                                                             Rep-Payee\n                                        No response from Rep-Payee after 150 days (total)\n                                                                                                                                                           desires help w/\n                                                                                                                                                             Accounting\nSSI Redetermination Merge        SSI Redetermination                                                                                                            form\nRun (monthly) selects "150       Merge Run (monthly)           FO attempts to\n Day Non-response" Rep-          sends 150 Day Non-            contact Rep-             5E\nPayee cases & adds "2" to        response list to FOs             Payee\n   REPSEL field in SSR            (via secure printer)                                                                                                           5E\n\n                          Rep-Payee not found or does\n                          not respond after 10 months                                                                                         WBDOC Clerk\n                                                                                                                                                identifies\n                                                                                                                                              approvals (no           5A\n SSI Redetermination\n                                                                          Rep-Payee fills out       WBDOC receives                             development\n Merge Run (monthly)\n                                  End                                     Accounting form &         Rep-Payee form in                            needed)\ndeletes AR diary from\n                                                                          mails it to WBDOC            Mail Room\n       record\n                                                                                                                                              WBDOC Clerk\n                                                                                                                                                identifies\n                                                                                                                                             exceptions that          5B\n              Approximately 6000 to 8000\n                                                                                                                                            should be handled\n               are deleted each month\n                                                                                                                                               by PCs 1-7\n                                           WBDOC estimates                                    WBDOC Clerk examines\n                                                                     WBDOC routes\n                                            number of forms                                   forms & sorts based on\n                                                                    forms to Benefits                                                         WBDOC Clerk\n                                           received based on                                   follow-on development                            identifies\n                                                                      Notices Area\n                                                 weight                                             requirements                             exceptions that          5C\n                                                                                                                                            can be handled by\n                                                                                                                                                 WBDOC\n                                                                            D-5\n\x0c                                                Representative-Payee Process (Continued)\n\n              PEOB is a multiple entry screen                                                                         These steps are shown                 RIC = Record\n                                                          Transaction Filename = ZDREP4PH.W\n               tool developed for WBDOC                                                                                   only for clarity                Identification Code\n                                                                                                  Scanner/Lifeworks\n                WBDOC                               WBDOC\n                                                                                                  System increments                               Transaction file\n               Technician           Form        Technician inputs           Form is scanned\n                                                                                                  WBDOC electronic                                  sent to NCC\n  5A             visually          can be       Conserved Funds              using Scanner/                                    5D\n                                                                                                count & writes "SSI PE"                          (Global DASD) via\n            determines if form    scanned       (CF) values using          Lifeworks System\n                                                                                                 record to transaction                                 FTMS\n             can be scanned                       PEOB Screen\n                                                                                                          file\n\n\n                                                                                                                                                                  ZEREPPYE\n                                   WBDOC Technician\n                                                                                                                                     CICS Screen              Program creates &\n                                   enters CF & clears          PEOB CICS Screen\n               Form can not                                                                                            5F           creates RIC "O"             formats RIC "O"\n                                    Rep-Payee from             increments WBDOC          5D\n               be scanned                                                                                                               Record                for each record in\n                                   "diary" using PEOB            electronic count\n                                                                                                                                                                Transaction file\n                                      CICS Screen\n\n                                                                                                5F\n\n                                             WBDOC Technician                                                                    Zenith Program (front           PE Update\n                                             enters CF & clears            PEOB CICS Screen                                       end of SSI System)            Program (SSI\n              WBDOC sorts          PC 7\n  5B                                          Rep-Payee from              increments WBDOC        5D                             funnels RIC "O" files        System) changes\n               Form by PC         (ODO)\n                                             "diary" using PEOB             electronic count                                    together for use by PE        AR Diary, CF & M\n                                                CICS Screen                                                                             Update                 fields on SSR\n\n                 PC 1-6                                                                           5F\n\n                                                                                                                                                           FO Technician helps\n                WBDOC                           WBDOC\n                                                                                                                                    Rep-Payee visits        Rep-Payee fill out\n               Technician          Form     Technician inputs         Form is scanned                                  5E\n                 visually         can be    Conserved Funds            using Scanner/                                                 Field Office          Accounting form\n                                                                                                                                                             (SSA-623-SM)\n            determines if form   scanned     (CF) values via         Lifeworks System     These steps are\n             can be scanned                      PEOB                                     shown to clarify how\n                                                                                          the Rep-Payees are\n                                                                                          cleared from the AR\n                                    WBDOC Technician                                      Diary                            FO Technician clears Rep-        PEOB CICS Screen\n                                    enters CF & clears                                                                      Payee from "diary" using        creates record in\n                Form can not                                  The report includes counts for\n                                     Rep-Payee from                                                                        CICS SSI Data Input Screen        centrally located\n                be scanned                                    forms that are cleared via both\n                                    "diary" using PEOB                                                                    (SPE Screen, formerly Form            traffic file\n                                                              scanner and CICS screen\nWBDOC subsequently                     CICS Screen                                                                                  1719B)                     (CT record)\nresolves issues w/ Rep-\n                                                                     5D\nPayee or sends to PC for\nfurther development\n\n                                                              WBDOC tabulates                                               PEMI reads traffic         PEMI transfers\n            WBDOC Technician\n                                     PEOB CICS Screen             count of            WBDOC provides                        file to increment         summary counts        7E\n            clears Rep-Payee\n  5C                                increments WBDOC          Accounting forms       WB MI Report to SSA         7C          summary count               to IWMS\n            from "diary" using\n                                      electronic count        processed in WB               OIM\n            PEOB CICS Screen\n                                                                  MI Report\n\n\n                                                         5F\n\n\n\n                                                                                  D-6\n\x0c                                               Representative-Payee Process (Continued)\n                                                              Rep-Payee applicant can\n                                                              also mail in application to\n6A   Beneficiary and/or Repayee Live Abroad                    any of these locations.                                   PCACS = Program Center Action Control System\n                                                                                                                         ACR = Action Control Record\n                                                          DSE = Direct Service Employee\n                                                                                                                         TOEL = Type of Event Level\n\n       SSA, Beneficiary,          Rep-Payee                  Embassy,                                          DSE generates          OIO Technician\n                                                                                  PC8 DSE reviews                                                            OIO Technician\n         or Rep-Payee          candidate fills out        consulate or JAG                                    PCACS ACR with          reviews Rep-\n                                                                                     package &                                                                selects Rep-\n       identifies need to        application at             Office sends                                      TOEL Code(s) &         Payee application\n                                                                                     determines                                                              Payee based on\n       change (or add)       embassy, consulate            package to SSA                                      routes package         & compares to\n                                                                                  action(s) required                                                          SSA criteria\n          Rep-Payee          or military JAG office        PC8 (Baltimore)                                       accordingly         other candidates\n\n\n\n                                                                                                                                                               WBDOC sends\n             OIO Technician             Object program                 OIO sends                                                                      6B       Rep-Payee Form\n                                                                                                                           PCACS                                to PC-8 (OIO)\n          enters selected Rep-           sends "COS"                package to PC8              OIO Technician\n                                                                                                                      increments work\n            Payee in RPS (if               (Computer               for storage in file         clears ACR from                                  7F\n                                                                                                                      count for relevant\n           possible) & MBR or          Operations Section)             or further                  PCACS\n                                                                                                                        TOEL Code(s)\n                  SSR                     Read to PC8                 processing\n                                                                                                                                                                OIO determines\n                                                      There are approximately 24 object programs that interface with                                           action(s) required\n                                                      PCACS. These are tools that allow users to perform various tasks.                                           & prepares\n                                                      At this point the TOEL codes are assigned.                                                                PCACS ACR w/\n                                                                                                                                                                 TOEL codes\n                                                                Embassy,                                           DSE generates           OIO Technician\n       Rep-Payee Account           Rep-Payee fills out                                   PC8 DSE reviews\n                                                             consulate or post                                   PCACS ACR with              processes\n      requires a change of       relevant document at                                        package &                                                           OIO Technician\n                                                             sends package to                                    TOEL Code(s) &             change using\n        information (e.g.,        embassy, consulate                                        determines                                                           takes required\n                                                                 SSA PC8                                          routes package           relevant object\n      address, phone, etc)       or military JAG office                                  action(s) required                                                     action relative to\n                                                                (Baltimore)                                         accordingly               program\n                                                                                                                                                                 deficient Rep-\n                                                                                                                                                               Payee Acctg form\n\n\n\n          OIO Technician          Object program             CDDM sends                                                                                         OIO Technician\n                                                                                                                   PCACS\n             processes             sends "COS"              package to be            OIO Technician                                                            clears ACR from\n                                                                                                              increments work\n         relevant changes        (Computer Output           stored in file or       clears ACR from                                    7F                          PCACS\n                                                                                                              count for relevant\n          in MBR, SSR or          System) Read to         further processed             PCACS\n                                                                                                                TOEL Code(s)\n                RPS                    PC8                by OIO Technician\n\n\n                                                            CDDM conducts                                                                                           PCACS\n                                  OIO determines                                                                                                               increments work\n                                                             investigation &                                         PCACS\n        SSA decides to           action(s) required                                       OIO Technician                                                       count for relevant\n                                                            sends file to be                                    increments work\n        investigate Rep-            & prepares                                           clears ACR from                                   7F                    TOEL Code(s)\n                                                            stored or further                                   count for relevant\n            Payee                 PCACS ACR w/                                               PCACS\n                                                           processed by OIO                                       TOEL Code(s)\n                                   TOEL codes\n                                                               Technician\n                                                                                                                                                                      7G\n                                                                         CDDM=Claims Development\n                                                                           and Disability Module\n\n\n                                                                                 D-7\n\x0c                                    Representative-Payee Process (Continued)\n\n\n                              IWMS stores count          OFPO uses SSAMIS                                 OFPO obtains Code\n            Title II            as IWMS Code              GETDOWR to obtain           CAS Sums counts      #0403 for use in\n7A                                                                                    and enters in CAS\n      Rep-Payee Changes        55972 & DOWR             DOWR 15 & enters value                              Accountability\n                                                                                        Code #0403\n                                 Category 15             in CAS Code #04031                                    Report\n\n\n\n                              IWMS stores count          OFPO uses SSAMIS\n7B         Title XVI            as IWMS Code              GETDOWR to obtain                                                   End\n      Rep-Payee Changes        72952 & DOWR             DOWR 24 & enters value\n                                 Category 24             in CAS Code #04032\n\n\n\n                                                         OFPO uses SSAMIS to\n                              OIM receives WB MI\n       Title II & Title XVI                             obtain IWMS 09272 value\n7C   Rep-Payee Accounting       Report & enters          (OCRO portion only) &\n                               counts into IWMS\n       WBDOC (OCRO)                                       enters in CAS Code\n                                 Code 09272\n                                                            #04031 (OCRO)\n\n                                      The WB MI Report includes counts of processed\n                                      forms for both Title II & XVI Rep-Payees\n\n\n                              IWMS stores count        OFPO uses SSAMIS\n            Title II\n7D   Rep-Payee Accounting       as IWMS Code           GETDOWR to obtain\n     Form Cleared via CICS     19972 & DOWR          DOWR 6 & enters value in\n                                 Category 6             CAS Code #04031\n\n\n\n                              IWMS stores count        OFPO uses SSAMIS\n           Title XVI            as IWMS Code           GETDOWR to obtain\n7E   Rep-Payee Accounting\n                               71052 & DOWR          DOWR 7 & enters value in\n     Form Cleared via CICS\n                                 Category 7             CAS Code #04032\n\n\n\n                                  OFPO uses TSO\n            OIO                 GETPCACS to obtain          OFPO enters values\n7F                                                            into CAS Code\n      Rep-Payee Changes       counts from PCACS using             #04031\n                               relevant TOEL Code(s)\n\n\n\n                                  OFPO uses TSO\n                                                            OFPO enters values\n7G          OIO                 GETPCACS to obtain            into CAS Code\n     Rep-Payee Accounting     counts from PCACS using\n                                                                  #04034\n                               relevant TOEL Code(s)\n\n\n\n\n                                                               D-8\n\x0c'